CA PAM not accepting Self-signed Certificate + Key files


Article ID: 126692


Updated On:


CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)


An error is received when trying to upload a Certificate + Key file to PAM. Due to the error the certificate is not loaded into PAM successfully.

The following information & symptoms characterize this issue:
- A Self-signed certificate is being loaded into PAM
- The Private Key was generated using RSA
- The Private Key and Certificate files have been combined in a text editor into a single file
- The combined Certificate + Key file has been saved with "LF" type line endings
- All header and footers for the certificate & key still exist in the combined file
- When trying to Upload the combined file using the option "Certificate with Private Key" under Security > Certificates > Upload, one of the errors below are seen

Possible Related Errors:
PAM-CM-0194: Unable to upload file
PAM-CM-0195: The key file for the certificate <certificate file name> is missingĀ 
PAM-CM-0201: Verification Error Can not open private key file


PAMs source code is expecting that RSA based Private Keys start with "-----BEGIN RSA PRIVATE KEY-----" header and have a matching footer. It was found that in some cases RSA based Private Keys are missing the "RSA" part of the header (and footer).

Specifically, different versions of OpenSSL seem to create private key files with different resulting key headers/footers. For example when running the command below it would be create a new 2048-bit RSA Key in every version of OpenSSL, but it was observed that different versions end up with different headers.

Sample command:
openssl req -new -x509 -newkey rsa:2048 -sha256 -nodes -keyout rsakey.key -days 365 -out cert.pem

Older versions (tested with v0.9.8zf) DID include RSA:
... BASE64 key info ...

Newer versions (tested with v1.0.1h & v1.0.2q) did NOT include RSA:
... BASE64 key info ...

However in all tested versions, using the following command always resulted in a file that properly includes RSA in the header/footer as expected by PAM:
openssl genrsa 2048


Any PAM Version


There are a few options to resolve this:
  1. (Easiest) Edit the Certificate + Key file to add RSA to the header & footer of the key as seen in the Cause section, then try re-uploading it.
  2. (Recommended) Generate a CSR from PAM and use the CSR to create the certificate. This way PAM already has a copy of the key and there should be no problems uploading the certificate.
  3. Generate a new Key first using the command "openssl genrsa". This should properly include RSA in the header/footer already. Then use that key with the "-signkey" option instead of "-newkey" when creating the certificate.