Salesforce

pkiutil -import fails with The CA keys entry <Key Alias> does not contain a valid private-key.

Printable View
« Go Back

Information

 
Titlepkiutil -import fails with The CA keys entry <Key Alias> does not contain a valid private-key.
URL Namepkiutil-import-fails-with-The-CA-keys-entry-Key-Alias-does-not-contain-a-valid-private-key
Article Number000175125
EnvironmentProduct: OpenEdge
Version: 11.6.0, 11.6.1
OS: All supported platforms
Other: SSL
Question/Problem Description
'pkiutil -import' fails with: The CA keys entry <Key Alias> does not contain a valid private-key.

pkiutil fails to import a signed certificate from a CSR generated with 'pkiutil -newreq'.

The private key (<DLC>\keys\requests\<alias>.pk1) created by 'pkiutil -keysize 2048 -newreq testalias' is encrypted with pkcs8

PKCS8 private key format has the following header:
-----BEGIN ENCRYPTED PRIVATE KEY-----
Steps to Reproduce1. Create a new private key and certificate request:

proenv> pkiutil -keypass testalias -newreq testalias

2. Get the generated CSR (Certificate Signing Request) <DLC>\keys\requests\testAlais.pk10 signed by a Certificate Authority and save the signed certificate the CA provides in <WRKDIR>.

3. Import the certificate into the alias:

proenv> pkiutil -import testAlias certificate.cer
Clarifying Information
The above steps work as expected in versions prior to OpenEdge 11.6.0

In prior versions the private key (<DLC>\keys\requests\<alias>.pk1) file created by 'pkiutil -newreq' is in PKCS#5 format

PKCS5 private key format has the following header:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC
Error MessageThe CA keys entry <Alias> does not contain a valid private-key.
Defect NumberDefect PSC00344869
Enhancement Number
Cause
This defect is caused by a change in the way OpenSSL creates the Private Key by default:
  • Prior to  OpenEdge 11.6, Progress packages OpenSSL version 0.9.8g where there is no support of pkcs8 in pkiutil or any other tools. The format the private keys are created with PKCS#5
  • In OpenEdge 11.6 after the OpenSSL 1.0.1 upgrade, OpenSSL supports both pkcs8 & pkcs5 formats, where OpenSSL version 1.0.1m changes the format the private keys are created by default as PKCS#8.
The defect is that pkiutil does not support a private key in PKCS#8 format.
Resolution
Upgrade to OpenEdge 11.6.2 Service Pack, 11.7.0 or later where a new option is provided in PKIUTIL to generate either a pkcs5 or pks8 encrypted key:
  • -pkcs5 (force pivate key to be pkcs5)  [This is default in 11.6.2]
  • -pkcs8  (force private key to be pkcs8)  
For example:

A pkcs5 format encrypted key is the default for 11.6.2:
$ pkiutil -keysize 2048 -newreq testalias

Or by explicitly setting -pkcs5 as a parameter
$ pkiutil -keysize 2048 -pkcs5  -newreq testalias 

Should a pkcs 8 encrypted key be needed, then use -pkcs8:
$ pkiutil -keysize 2048 -pkcs8  -newreq testalias 

On OpenEdge 11.6 when using a pkcs8 private key format:
  1. An OpenEdge Database using a pkcs8 certificate will start without error
  2. An AppServer using a pkcs8 certificate will fail, which is expected in OpenEdge 11.6.x:
SSL Server initialization error com.rsa.ssl.SSLException: java.lang.NullPointerException
at com.rsa.asn1.AlgorithmID.a(Unknown Source)
          
This is because the Broker (java.exe) uses BSAFE RSA SSLJ lib for underlying SSL, which has problem with pkcs8. 
In OE 11.7.0 RSA SSLJ has been upgraded to JSSE, which will resolve the problem
Workaround
1. Convert the PKCS#8 private key to a PKCS#5 format that pkiutil can import.

$DLC/bin/sslc rsa -in <alias>.pk1 -des3 -out <alias>.pk1

2. Import the certificate

proenv>pkiutil -import <alias> <signed certificate>.cer
Notes
Keyword Phrase
Last Modified Date4/15/2019 7:41 AM
Powered by