An error is received when trying to upload a Certificate + Key file to PAM. Due to the error the certificate is not loaded into PAM successfully.
The following information & symptoms characterize this issue:
- A Self-signed certificate is being loaded into PAM
- The Private Key was generated using RSA
- The Private Key and Certificate files have been combined in a text editor into a single file
- The combined Certificate + Key file has been saved with "LF" type line endings
- All header and footers for the certificate & key still exist in the combined file
- When trying to Upload the combined file using the option "Certificate with Private Key" under Security > Certificates > Upload, one of the errors below are seen
Possible Related Errors:
PAM-CM-0194: Unable to upload file
PAM-CM-0195: The key file for the certificate <certificate file name> is missing
PAM-CM-0201: Verification Error Can not open private key file
PAMs source code is expecting that RSA based Private Keys start with "-----BEGIN RSA PRIVATE KEY-----" header and have a matching footer. It was found that in some cases RSA based Private Keys are missing the "RSA" part of the header (and footer).
Specifically, different versions of OpenSSL seem to create private key files with different resulting key headers/footers. For example when running the command below it would be create a new 2048-bit RSA Key in every version of OpenSSL, but it was observed that different versions end up with different headers.
openssl req -new -x509 -newkey rsa:2048 -sha256 -nodes -keyout rsakey.key -days 365 -out cert.pem
-----BEGIN RSA PRIVATE KEY----- ... BASE64 key info ... -----END RSA PRIVATE KEY-----
-----BEGIN PRIVATE KEY----- ... BASE64 key info ... -----END PRIVATE KEY-----
openssl genrsa 2048
Any PAM Version
There are a few options to resolve this: