One other important note:
The key.pem file is typically encrypted by a passphrase. nsopenssl
isn't set up to decrypt a key.pem file that is encrypted with a passphrase. If nsopenssl fails to load the key file, then this is probably the problem.
If your key.pem file has something like this at the beginning:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,C636A456899E9D41
...
then it's encrypted. If your key looks something like this:
-----BEGIN RSA PRIVATE KEY-----
SNTEOmnsthaostuhsnts}OREU/ADHT+rPTx/DPRp3xGjHZ4GG6pCmvADIEtBtKBFAc
Z64n+Dy7NblahblahblahblahH1D/j8HlGE+q4TZ8OFk7BNBFazHxFbYI4OKMiC
...
then it isn't encrypted.
To enable nsopenssl to use your key, strip the passphrase from your key.pem file by doing the following:
openssl rsa -in key.pem -out newkey.pem
newkey.pem is your unencrypted key -- use this as your certificate's key, just make sure it's well protected with file system perms.