Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-24404

ssl-manage --set-node-certificate doesn't accept pkcs#8/12 private keys

    XMLWordPrintable

    Details

      Description

      In following these steps: https://developer.couchbase.com/documentation/server/4.6/security/security-x509certsintro.html

      I tried using couchbase-cli ssl-manage --set-node-certificate using a cert and key that were minted by our in-house CA. It was rejected by the couchbase server as follows:

       

      [bweir@lca1-cbvt05 ~]$ couchbase-cli ssl-manage -c $(hostname -f) --set-node-certificate
      "Invalid private key type: PrivateKeyInfo."
      

       

      It seems that the key file is in PKCS#8 format which couchbase cannot understand. Can support for this be added? More info:

      http://stackoverflow.com/questions/20065304/what-is-the-differences-between-begin-rsa-private-key-and-begin-private-key

      https://tools.ietf.org/html/rfc5208

      http://stackoverflow.com/questions/18039401/how-can-i-transform-between-the-two-styles-of-public-key-format-one-begin-rsa

       

       

      My current workaround is to use openssl to convert to PKCS#1 format with these commands:

      openssl rsa -in pkey.key.pkcs8 -out pkey.key.der -outform DER
      openssl rsa -in pkey.key.der -inform DER -out pkey.key.pkcs1 -outform PEM

        Attachments

          Issue Links

          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

            Activity

            Hide
            simon.murray Simon Murray added a comment -

            I too have just hit this, given I was using EasyRSA at the time this problem is probably going to be quite wide spread.

            Show
            simon.murray Simon Murray added a comment - I too have just hit this, given I was using EasyRSA at the time this problem is probably going to be quite wide spread.
            Hide
            djp Don Pinto [X] (Inactive) added a comment -

            A common format for storing a certificate chain – the server or client certificate along with the intermediate certificates in its signing chain – and its server or client certificate's private key is the PKCS#12 format, which contains those items within one file.

            -> This single file would make manageability quite simple

            Show
            djp Don Pinto [X] (Inactive) added a comment - A common format for storing a certificate chain – the server or client certificate along with the intermediate certificates in its signing chain – and its server or client certificate's private key is the PKCS#12 format, which contains those items within one file. -> This single file would make manageability quite simple
            Hide
            djp Don Pinto [X] (Inactive) added a comment -

            Ajit Yagaty – Let me know if we can support this format for our x.509 features, plus node-to-node encryption 

            Show
            djp Don Pinto [X] (Inactive) added a comment - Ajit Yagaty – Let me know if we can support this format for our x.509 features, plus node-to-node encryption 
            Hide
            simon.murray Simon Murray added a comment -

            Quick suggestion, if we do support PKCS#8 it's probably worth while supporting ECDSA keys as well as the existing RSA ones to future proof the change.

            Show
            simon.murray Simon Murray added a comment - Quick suggestion, if we do support PKCS#8 it's probably worth while supporting ECDSA keys as well as the existing RSA ones to future proof the change.
            Hide
            simon.murray Simon Murray added a comment -

            Just had another run in with this while helping the docs team.  The following CSRs should work when signed as regards PKCSK#8 support.  The first is a very commonly used command by many PKI management systems, and myself!

            openssl req -new -newkey rsa:2048 -nodes -keyout couchbase.example.com.key -out couchbase.example.com.csr -subj "/CN=Couchbase Server"

            openssl ecparam -name secp256k1 -out secp256k1.pem
            openssl req -new -newkey ec:secp256k1.pem -nodes -keyout private/couchbase.example.com.key -out couchbase.example.com.csr -subj "/CN=Couchbase Server"
            

            Show
            simon.murray Simon Murray added a comment - Just had another run in with this while helping the docs team.  The following CSRs should work when signed as regards PKCSK#8 support.  The first is a very commonly used command by many PKI management systems, and myself! openssl req -new -newkey rsa:2048 -nodes -keyout couchbase.example.com.key -out couchbase.example.com.csr -subj "/CN=Couchbase Server" openssl ecparam -name secp256k1 -out secp256k1.pem openssl req -new -newkey ec:secp256k1.pem -nodes -keyout private/couchbase.example.com.key -out couchbase.example.com.csr -subj "/CN=Couchbase Server"

              People

              • Assignee:
                ajit.yagaty Ajit Yagaty
                Reporter:
                bweir bweir
              • Votes:
                1 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:

                  Gerrit Reviews

                  There are no open Gerrit changes

                    PagerDuty

                    Error rendering 'com.pagerduty.jira-server-plugin:PagerDuty'. Please contact your Jira administrators.