Issue converting privkey.pem to privkey.crt


I am moving a server behind a Windows FW and need to convert my pem files to crt. Out of the 4 received files from LE (privkey,fullchain. chain, cert) all converted well using opensll except the privkey one. When trying to view the certificate using openssl I either get:
unable to load certificate
139713812305560:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE

unable to load certificate
140200659060376:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1197:
140200659060376:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:374:Type=X509

Any idea what could be the problem?

Thank you.

The private key isn’t a certificate. Only the certificate (in cert.pem) is a certificate.

I don’t believe that crt is actually a different format from pem; it’s just a different file extension. You should be able to “convert” to crt just by renaming the files.

If you’re trying to put this on Windows, usually you need a PKCS12 format (known commonly as PFX) that holds both certificate and key:

openssl pkcs12 -export -in certificate.pem -inkey certificate.key -out certificate.pfx

I’d look up actual formats (.crt doesn’t really mean anything) if you’re not sure and let us know exactly what format you’re trying to convert to.

Hi! Thanks for getting back to me. The file content is really different and not only the extension differs but the content too. I’ve seem online converters as well but I’m (REALLY) hesitating to try my private key in anything online…


Well MS ISA seems to want crt files but I’m willing to try something else. In your openssl line what is the .key file? is it fullchain.pem or privkey.pem?

Also the command asks for a password. What is that?

Thank you.

Again, the file extension doesn’t really mean much. It’s sort of like
saying a txt file without specifying what language the contents are written
in. Not having experience with ISA, I know pfx files are one of the more
common ways of importing certs to Microsoft things, so it seems like e a
good start.

So, if giving this a shot, the -key flag would refer to privkey.pem. The
password it asks for is an export protection. The PKCS format (pfx) allows
you to set a key on the exported file to protect it, since it contains a
private key.

I checked the ISA documentation and it uses certificates from the Windows certificate store just like IIS. So you do need to generate a PKCS12 file as @jared.m suspected. It really doesn’t matter what the extension is; end it with .crt or switch the filter to All Files (*.*) and Windows will import it as long as it’s a valid PKCS12 file.

If possible, you might want to consider using a Windows client to get the certificate on the ISA server. They all will put the certificate in the Windows certificate store for you so all you have to do is edit the bindings, no conversions or importing needed.


Thank you all for the help. The password thing was indeed “creating” a new password and not asking me for an existing one (which is what I thought…). I did the combination for the 2 files and made my pfx file, then gave it to whoever is maintaining that ISA server. All is working (or almost - we’re having different port issues but that is not LE related at all).

Next I indeed need to get a Windows client running.

Thank you again.

1 Like

Glad you got it working!

I apologize for suggesting a Windows client twice!!! I remember I did so in a previous thread now. I’m sure you get it. :grinning:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.