Unable to load CA private key
search cancel

Unable to load CA private key

book

Article ID: 136250

calendar_today

Updated On:

Products

XCOM Data Transport XCOM Data Transport - Windows XCOM Data Transport - z/OS XCOM - SUPPORT

Issue/Introduction

Configuring XCOM to use SSL connections for transport.  Created the certificates on a CA XCOM Windows R11.6.  Then transferred the cassl.pem and casslkey.pem files to the z/OS CA XCOM R12.0 system.  Cleared all current certificates and then ran the makeca script to create the required directories and files.  Then we replaced the cassl.pem and casslkey.pem files in the certs and private directory. Then tried to create the server certificates using the makeserver script, but getting the following error.

 xxxxxxxxx:/SERVICE/CA/XCOM/V12_0/certs/ssl> ./makeserver

Using configuration from ./serverssl.conf

Generating a 1024 bit RSA private key

....++++++

............++++++

writing new private key to './private/serverkey.pem'

-----

Using configuration from ./cassl.conf

unable to load CA private key

67109345:error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt:/a/src/SSL/crypto/evp/evp_enc.c:277:

67109345:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:/a/src/SSL/crypto/pkcs12/p12_decr.c:95:

67109345:error:2306A075:PKCS12 routines:PKCS12_decrypt_d2i:pkcs12 pbe crypt error:/a/src/SSL/crypto/pkcs12/p12_decr.c:121:

67109345:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:/a/src/SSL/crypto/pem/pem_lib.c:291:

mv: ./servercert.pem: EDC5129I No such file or directory.

 

Then did it the other way around, but same error was produced on the Windows side.  

Environment

Release : 12.0

Component : CA XCOM Data Transport for z/OS

Cause

The CA certificate and key were created with a version of XCOM for Windows that does not support TLS 1.2. The key length requirements have increased.

Resolution

You will need to create the CA certificate and key(e.g. cassl.pem and casslkey.pem) with a XCOM version that supports TLS 1.2 in order to use with XCOM r12 for z/OS. They are running XCOM r11.6 SP00 which is where they created the certificates. The version of XCOM on Windows would need to be upgraded to the current version of SP02 on Windows.