Hello openssl people, I am trying to read a private key of a certificate into memory using d2i_RSAPrivateKey. I'm able to read the certificate without a problem, but when I pass the private key to d2i_RSAPrivateKey, it fails to parse. I do not see an error message or errno being set - d2i_RSAPrivateKey simply returns NULL. I've generated a self-signed cert which reproduces the problem, and I've attached it to this message (this is a throwaway cert, not in use for anything, so I'm knowingly sending the private key). The command I used to generate this cert and its key was: openssl req -x509 -newkey rsa:1024 -keyout key.pem -out cert.pem -days 36500 -nodes -outform PEM I have another cert where the private key *is* parseable by d2i_RSAPrivateKey. I printed out both certs from the command line, and compared them. They appear almost identical. The only difference I see is that when I print the attached unparseable cert, the Signature Algorithm section has 8 lines of hex. In the parseable cert, I see 15 lines of hex. Both certs use sha1WithRSAEncryption as the algorithm, with 1024 bits. Can anyone help me understand why the private key in the attached cert is not readable by d2i_RSAPrivateKey? I'm running these tests on a Mac, but the same thing happens on Ubuntu Linux. Thank you, David Printout of the attached cert, which fails to parse with d2i_RSAPrivateKey: MacBook-Air:self_signed dlobron$ openssl x509 -in cert.1024.combined -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 17702003413458844255 (0xf5aa2650b7f77a5f) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=Massachusetts, L=Cambridge, O=Akamai Technologies, OU=KMI, CN=akamai.normandy_authority.client_gateway_ca.1/emailAddress=dlobron at akamai.com Validity Not Before: Oct 8 15:47:30 2015 GMT Not After : Jan 16 15:47:30 2016 GMT Subject: C=US, ST=Massachusetts, L=Cambridge, O=Akamai Technologies, OU=KMI, CN=akamai.normandy_authority.client_gateway_ca.1/emailAddress=dlobron at akamai.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:c2:33:df:d8:cb:c9:6e:a4:98:f0:b7:b1:06:51: 77:f8:6c:36:4b:f3:ab:fc:09:ab:98:13:d5:0a:03: 63:31:c4:ce:6f:02:12:b5:c4:4c:83:17:39:c2:b8: 27:89:a5:80:56:36:72:19:8b:9a:dd:e5:e2:22:60: 53:96:f9:4d:c0:f1:c6:06:5f:1b:95:de:b7:8e:d2: ef:e8:ff:84:81:73:45:c9:a5:52:6d:af:8e:6a:16: bf:23:97:66:5e:d8:1f:0e:e9:1b:d3:03:e3:cd:4c: 02:2f:68:f0:a5:70:a3:90:f5:19:8d:f5:6b:d1:87: e7:82:39:f9:09:1b:ee:56:f9 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 2F:D9:17:38:F0:9E:03:2C:57:E5:FF:20:24:BC:F1:AA:2C:35:AB:D5 X509v3 Authority Key Identifier: keyid:2F:D9:17:38:F0:9E:03:2C:57:E5:FF:20:24:BC:F1:AA:2C:35:AB:D5 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha1WithRSAEncryption 5d:5c:c0:10:c3:60:10:c5:d4:30:cf:90:41:32:d9:73:1f:03: 66:a5:3b:ca:e2:99:2f:89:10:0e:4d:d6:b3:1d:97:ae:0a:54: 46:0b:a8:51:02:97:c6:41:32:16:db:7c:77:28:e8:df:73:70: a0:01:73:b6:84:90:b5:a8:b7:54:53:7d:a9:cd:81:33:35:6d: 58:5e:ba:e2:7d:34:7a:32:c9:fd:4f:07:18:75:a7:53:3d:61: 1b:98:7a:e6:92:5b:74:39:e1:ab:b2:6a:51:4a:56:c5:99:1e: d7:7a:7a:b6:32:e8:ca:f2:33:bc:3f:d5:3c:3f:87:2a:9f:ab: 37:c8 -------------- next part -------------- A non-text attachment was scrubbed... Name: cert.1024.combined Type: application/octet-stream Size: 2124 bytes Desc: not available URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151009/2c9c633d/attachment-0001.obj> -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2863 bytes Desc: not available URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151009/2c9c633d/attachment-0001.bin>