Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Couchbase Certificate doesn't accept pkcs#8/12 private keys

Description

In following these steps: https://developer.couchbase.com/documentation/server/4.6/security/security-x509certsintro.html

I tried using couchbase-cli ssl-manage --set-node-certificate using a cert and key that were minted by our in-house CA. It was rejected by the couchbase server as follows:

 

 

It seems that the key file is in PKCS#8 format which couchbase cannot understand. Can support for this be added? More info:

http://stackoverflow.com/questions/20065304/what-is-the-differences-between-begin-rsa-private-key-and-begin-private-key

https://tools.ietf.org/html/rfc5208

http://stackoverflow.com/questions/18039401/how-can-i-transform-between-the-two-styles-of-public-key-format-one-begin-rsa

 

 

My current workaround is to use openssl to convert to PKCS#1 format with these commands:

Components

Affects versions

Fix versions

Labels

Environment

None

Release Notes Description

None

Activity

Show:

Ian McCloy August 18, 2021 at 8:31 AM

PKCS#8 format will be supported in the Neo release, this is tracked as and we're tracking PKCS#12 format as which will be a stretch goal to also include into Neo but not confirmed yet. 

I will close this Jira ticket as a duplicate, please follow the other 2 for progress. 

Simon Murray August 30, 2019 at 11:30 AM

Just had another run in with this while helping the docs team.  The following CSRs should work when signed as regards PKCSK#8 support.  The first is a very commonly used command by many PKI management systems, and myself!

Simon Murray November 27, 2018 at 9:21 AM

Quick suggestion, if we do support PKCS#8 it's probably worth while supporting ECDSA keys as well as the existing RSA ones to future proof the change.

Don Pinto [X] November 27, 2018 at 3:34 AM

– Let me know if we can support this format for our x.509 features, plus node-to-node encryption 

Don Pinto [X] October 4, 2018 at 5:51 AM

A common format for storing a certificate chain – the server or client certificate along with the intermediate certificates in its signing chain – and its server or client certificate's private key is the PKCS#12 format, which contains those items within one file.

-> This single file would make manageability quite simple

Duplicate
Pinned fields
Click on the next to a field label to start pinning.

Details

Assignee

Reporter

Priority

Instabug

Open Instabug

PagerDuty

Sentry

Zendesk Support

Created May 16, 2017 at 8:55 PM
Updated August 18, 2021 at 8:39 AM
Resolved August 18, 2021 at 8:31 AM
Instabug