Unable to load Private Key


I am new to SSL/OpenSSL and I’m working on Windows 7. I’m trying to configure HTTPS for my ElasticBeanstalk environment following these instructions.

I’m at Step 2 in “Create a Private Key”. After I issue the command to generate the key pair:

I get:

However, it does write a key to my directory. But after the second command:

I get:

I’ve tried Googling this a bit, but none of the solutions I’ve found seem to be relevant for me. I checked the generated key and it looks like

What am I doing incorrectly?


unable to load Private Key
6312:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: ANY PRIVATE KEY

I ran your commands on OS X, and I could not reproduce the results.

I did use the -config option because I have an “OpenSSL server config template” that makes it easy to generate CSRs and self signed certificates:

The configuration file is named example-com.conf, and you can find it at How do I edit a self signed certificate created using openssl xampp?. Edit it to suit your taste (in particular, the DNS names).

If interested, here’s the OpenSSL man pages on the req sub-command.

I checked the generated key and it looks like

{lots of characters}

You can validate the key you just created with:

unable to write ‘random state’

This is a well known problem. OpenSSL uses a default configuration file. You can locate the configuration file with correct location of openssl.cnf file.

The default configuration file includes these lines:

To save the random file, you should point HOME and RANDFILE to a valid location. On Windows, you type set HOME=... and set RANDFILE=... in the command prompt. Or better, change it in the OpenSSL configuration file you use.

Also see How to fix “unable to write ‘random state’ ” in openssl and How do I make OpenSSL write the RANDFILE on Windows Vista?.

I’m trying to configure HTTPS for my ElasticBeanstalk environment following these instructions.

The instructions are wrong in the image below. Do not place a DNS name in the Common Name (CN).

enter image description here

Placing a DNS name in the Common Name is deprecated by both the IETF (the folks who publish RFCs) and the CA/B Forums (the cartel where browsers and CAs collude). You should pay articular attention to what the CA/B recommends because Browsers and CAs come up with those rules, and the browsers follow them (and they don’t follow the RFCs). For reference, see RFC 5280, RFC 6125 and the CA/B Baseline Requirements.

Instead, place DNS names in the Subject Alternate Name (SAN). Both the IETF and CA/B specifies it.

The custom OpenSSL configuration file handles this for you. You just have to change the DNS names listed under the section [ alternate_names ]. For example, here’s a set of names set up for the domain example.com. Notice there is no DNS name in the CN:

Leave a Reply