Forum Discussion

tarma_58716's avatar
tarma_58716
Icon for Nimbostratus rankNimbostratus
Jun 27, 2011

"ASN1_CHECK_TLEN:wrong tag" when importing a PEM certificate

Hi all

 

i'm having an issue on importing a certificate into the F5.

 

When i import the certificate, i'm having this error message: "Import Failed: Open SSL error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag

 

 

The certificate file began by:

 

 

---BEGIN CERTIFICATE---------------------

 

Proc-Type: 4, ENCRYPTED

 

DEK-Info: DES-EDE3-CBC,F488....

 

 

(And here the certificate code)

 

 

-----------END CERTFICATE------

 

 

Do i need to do somethink with open ssl befor importing the file?

 

How can i do to import it?

 

 

Thanks in advance for your help.

 

 

  • finally i used openssl to transform the ssl certificate from pem to der and it worked fine.

     

     

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus

    Here's an example:

    openssl x509 -inform PEM -outform DER -in server.pem -out server.der

  • Thank you sir, but I am really not familiar with that, what i have a .cer file and .crt file, but my issue is same with what you had with this post.

     

    I am really a newbie with this type of subject, certificates, :D

     

  • lkchen's avatar
    lkchen
    Icon for Nimbostratus rankNimbostratus

    Interesting...I got this error today, while trying to update device certificate on our vCMP (standalone) hosts.

    I started to do the conversion to DER, when I took another when I noticed that my files has .key before .cer (PEM)...due to how the files got named.

    fully.qualified.name_server.key
    fully_qualified_name_server.cer
    

    Trying again, paying careful attention to which when into which section... and this time the PEM version worked without this error. 🙂

    Still trying to figure out what I should do about the vCMP pairs.

    LKC

  • In my case, the error was due the string format of the PEM file. Converting directly from array to string without line breaks does not work so those had to be added.

    Using powershell I managed to solve it like this:

    Function Import-KeyToF5 {
    
        Param($F5, $KeyPEM, [string]$KeyName)
    
        $ManagementModetype = New-Object iControl.ManagementKeyCertificateManagementModeType
        $SecurityType = New-Object iControl.ManagementKeyCertificateSecurityType
    
        $F5.ManagementKeyCertificate.key_import_from_pem_v2($ManagementModetype, @($KeyName), @($KeyPem), $SecurityType, @(""), $true)
    
    }
    
    Convert the PEM key from an array of strings to a string with line breaks
    $TempPem = $KeyPEM -join "`n"
    
    Import-KeyToF5 -F5 $f5 -KeyPEM ([string]$TempPem) -KeyName "star.test.test.key"
    

    Hope it helps someone!

    /Patrik

  • This error is due to invalid certificate format.

     

    Additional or trailing spaces Installing a certificate format other than X.509

     

    Solution To resolve this issue:

     

    Download the X.509 version of the certificate from the RapidSSL portal. Make sure the file has no trail or leading spaces within the certificate file.

     

    We solved the issue while trying to add SSL to ginstr business apps platform.