Golang complained today:

RSA modulus is not a positive number

I wondered whether this was a fault with our cert(s) or whether golang was loading it properly. As there was no canonical resource on the net for how to diagnose it, her’s what I did (some anonymity applied to the cert):

First:

openssl asn1parse -i -dump -in /path/to/certificate | egrep -A6 -B1 :rsaEncryption


which gives these lines:

289:d=3 hl=2 l= 11 cons: SEQUENCE
291:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
302:d=3 hl=4 l= 270 prim: BIT STRING
0000 - 00 30 82 01 09 02 82 01-00 cb 4a 13 93 bf 3e 91 .0........J...&gt;.
0010 - 89 08 4e 85 fb e0 2a b8-9e 1c 7f d3 1a eb 34 77 ..N...*.......4w
0020 - 6d 8a 0c 1d d9 13 70 40-ba be 5f 77 2f a1 88 66 m.....p@.._w/..f
0030 - fd 2e ef 14 3f 1d 36 ff-df 23 1c 6a a5 f1 ae fb ....?.6..#.j....
0040 - e6 9a 0a 8b dc 53 5d f4-7a be 0c 27 38 76 2f 27 .....S].z..'8v/'


That tells me that the rsaEncryption bit string starts at byte offset 302. So now I can look at it like this:

\$ openssl asn1parse -i -dump -in /path/to/certificate -strparse 302
0:d=0 hl=4 l= 265 cons: SEQUENCE