DXNetOps Performance Management Portal certificate requirements and conversion
search cancel

DXNetOps Performance Management Portal certificate requirements and conversion

book

Article ID: 245156

calendar_today

Updated On:

Products

CA Performance Management - Usage and Administration DX NetOps

Issue/Introduction

We need to deploy SSL certificate provided by certificate authority.

During implementation we get the following error:

140029853058976:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:341:
Enter pass phrase for /tmp/capckey.key:
unable to load private key
140029853058976:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:592:
140029853058976:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:108:
140029853058976:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:139:
140029853058976:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:pem_pkey.c:141:
error in pkcs12

or the following error:

... java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: IOException : algid parse error, not a sequence

 

 

Environment

Release : all PM releases

Component : PM Web UI Administration/Configuration

Cause

Private key format incorrect or key encrypted

REQUIREMETNS:

- both files (certificate and key ) must be in PEM format

- files cannot be encrypted

- private key must be in PKCS#8 standard

Resolution

1. Verify if certificate is matching the key by comparing the modulus:

openssl x509 -noout -modulus -in cert.pem | openssl md5
openssl rsa -noout -modulus -in privateKey.key | openssl md5

Outputs must be identical.

2. Make sure the files are in PEM format

Open them with text editor and make sure you see the following liens in them:

  • Certificate file:
    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----
  • Key file:
    -----BEGIN PRIVATE KEY-----
    -----END PRIVATE KEY-----

3. Make sure key is not encrypted.

If you see the following lines in the key file:

-----BEGIN ENCRYPTED PRIVATE KEY-----
-----END ENCRYPTED PRIVATE KEY-----

key is encrypted and must be decrypted to be used by SSL Configuration Tool.

4. Make sure key is in PKCS#8 standard

If you see the following lines in the key file:

-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----

file is in PKCS#1 standard

Additional Information

  • convert DER cert / key to PEM if needed:

    openssl x509 -inform der -in certificate.cer -out certificate.pem
    openssl rsa -inform der -in SERVER.key -out SERVER_pem.key

  • decrypt the key:

    openssl rsa -in SERVER.key -out SERVER_noenc.key

  • convert from PKCS#1 to PKCS#8:

    openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in existing_pem_decrypted.key -out new_pem_decrypted_pkcs8.key
Powered by Wolken Software