Enabling HTTPS on the Data Aggregator with signed certificate fails

book

Article ID: 206484

calendar_today

Updated On:

Products

CA Performance Management - Usage and Administration

Issue/Introduction

Getting below error when trying to enable HTTPS on the Data Aggregator by using the SSLConfig Tool with a signed certificate and key:

File /opt/application/CA/certs/cert_2xxx/pm.xxxx.org.key is found but it does not seem to be a correct private key file.

Cause

This exception occurs as sslConfig.sh is looking for the string "BEGIN PRIVATE KEY" in the key file but it is not finding it, meaning it is not recognizing the key format and hence the reason for the exception. 

Environment

Any DA release

Resolution

1.- Check the format of key (eg: by using cat command) and the should have:
-----BEGIN PRIVATE KEY-----
encoded key info
-----END PRIVATE KEY-----

or

-----BEGIN RSA PRIVATE KEY-----
encoded key info
-----END RSA PRIVATE KEY-----


- BEGIN RSA PRIVATE KEY is PKCS#1 and is just an RSA key. It is essentially just the key object from PKCS#8, but without the version or algorithm identifier in front. 
- BEGIN PRIVATE KEY is PKCS#8 and indicates that the key type is included in the key data itself.

 

2.- If the header of the key is of the type "BEGIN RSA PRIVATE KEY" (PKCS#1) then run below command to conver it to PKCS#8:
openssl pkey -in pkcs1key.pem -out pkcs8key.pem

Where "pkcs1key.pem" is the PKCS#1 key filename and "pkcs8key.pem" will be the name of the converted key to PKCS#8 format.

3.- If the header of the key contains "BEGIN PRIVATE KEY" then check if the SSL certificate matches a Private Key by using these two commands and then comparing the modulus that returns:
- For the SSL certificate: openssl x509 –noout –modulus –in <file>.crt | openssl md5
- For the private key: openssl rsa –noout –modulus –in <file>.key | openssl md5

 

If the above doesn't help, please contact Broadcom Support.

Additional Information

Differences between “BEGIN RSA PRIVATE KEY” and “BEGIN PRIVATE KEY”
https://stackoverflow.com/questions/20065304/differences-between-begin-rsa-private-key-and-begin-private-key