RSA SSL encrypted private keys unreadable by Apache?
am 18.01.2003 06:34:41 von Mike ThompsonWe're using RSA bsafe sslc22 libraries to generate a PKCS#8
encryypted RSA private key for Apache 2.0.39 mod_ssl
using openssl 0.9.6e. We can use the key in cleartext
but when we encrypt it Apache can't decrypt it.
The interesting thing is that the openssl rsa command
can read the key file, but Apache 2.0.39 based on the
same openssl 0.9.6e can't use the key file.
Using openssl to read / decrypt the private key and
then re-encrypting using the same passphrase produces a
key that Apache can use. I tried this using both des and
des3 encryption. Both work.
Any ideas on how to get Apache to accept the original key
the RSA routines or tweak the RSA code to produce a
key Apache can use? Thanks!
I'd guess the issue is with the encryption algorithm or
the header lines?
The RSA key is RSA private key encoded with PKCS#8
using SHA1 digest with DES-CBC in PEM format
(RFC 1421 common headers and trailers, not the
one that allows for variations.)
Here's the encrypted private key as written by the RSA
bsafe sslc22 application:
# more ssl.key/server.key
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICoTAbBgkqhkiG9w0BBQowDgQIfkS8bOd+Y2kCAgPoBIICgK/Y7bTvu2Ja 8Dez
kyb+rnxc6FEllLema2ZBziinAvCQ7/hjpUuQh35F+Vv+ZOPFRNfvJ1Saz7xy l/Oq
LIZp1fSyPwWAVHSBp+CgxXwvxDNcFAQOoiIzOMo8zF9+w0ZLPTuvVg6zPwB0 r6Ga
1e0K8EngdxUvIO6+2G2ihR0iU8GufArScGFJ+5eFVn+8qgrbfAeMoaCENIX9 j7uL
92jd+x76XLa9rkDzHUYbVj6EcPm4QlheE2Xwqexqj62k/q4DOcKqTHBrsj8R ER4H
FYV89UPEIZwOta4xJ/7iezqJxWN+GinmNCRpNWPWpocEr1xXULYNFoiwRgpa tpvx
Rm2yo2G5aG+7CI1XiCJS8JzSpqOZGEc2+OqwvFmIMf0V8wHVcwCaSak5qtcn 09ia
YaipcdjEWpZuh1UwxFubqao8nRyhc1+0dPg8sGLEMXnoHo2g+hckN/TPZHxx 0fM1
Z3RMJUzDX9tARdPRZZLiOxl2M6KjtItsVt78T7gDTfTvn/oqtLkEOsQNuN9a qfbT
lUUEG/OC9iHscug5QXrmokU/k5jLIiq+3P72VYUYCsgv7hn7SdKSzW1/PxqB 96vE
xawXbDcBecx8lJFhhuJ8TOLyVGYLsG+DTKU+vep6hDniJqIw0aB37drd2mVP Y2ow
PTV94uvAQyew/QPrWM75uol794euEyNHvyvO5tY7vc8Ns2iYIlGQAvw7A57j KSV4
Cq7Z2eNrFUT7D6K4LS/Vn+Rq4wAfeGydPHmag7sHvTGphf2C98NZxlGFkcd2 Ksj8
LLCsYKNMxjrqgPcJehnf5NmVijkw8VC8gu6oeL2uVpMemkPeyy8rr9gFhS8O C1RS
j5TQ8MM=
-----END ENCRYPTED PRIVATE KEY-----
Here'e the same key after decrypting and re-encrypting using the
same passphrase using the following openssl command, I.e.
# openssl rsa -in ssl.key/server.key -des3 -out ssl.key/serverDes3.key
# more ssl.key/serverDes3.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,730497D7F6F3D777
4rfgE6BO16NTOF2q+/HJAfG8g7LDwJ2QUIU/qBeNTV0oVCpl9XqpWfmxw9Cn CoYe
WLnzPGsxMLC/ZDwy2KAUcIHVrZkN2TodY/B6trcdnRMcgx8LR097sZ0vRm10 bnqG
a2M8BMmq+ie44YK9OdhTkT5s1M4RdLvMnEqqncmza2igBtjqgU0b7eqiQuSx JBFA
2oH71+TTwOP480v+yj14kKorjfTax8ImJBfdOkNNE7k/ZLr4Qwn60VbmaUFo Ia2f
jqQ2QaLBXLL2Jmwgd5IlYIhput4o8yGjIaytOQYlE+UIbA8XCb2ahtvV0h/m gAs7
IAAonb2h4Js/6FswtIEfSx4U5xEdvv6REZuiLIQN7N5FyIsv3gder1GJ6Kmz PGD/
JdrFKYd+klgiKchNFnkfeJyrRufmAuOHhLTKnzM0Kt33UylWsA6+n+wOrQUf OGNE
Cv0PRKmqtKLavCEMEB4PRvyO5M0SmezS4lmYV/InYYU66hheuTGkAQxndqUM ot1j
sa7Ch4xI2K5I5z0tJrxoPVQ8k9joM6HNzlLgkwOTtHq567w2tlDNoCNQ1s5c SkBB
TDcWcmn13T+v9Z+Muz4JDQm9rGybSSpwhablgHALJx/ZEm3v3DTnoZsEKXcP LmXz
rYrKujhRRHMJPjvYJJTIcdeVf2WYmVB9FnsS3sfOKnhwlcsryUP05UYhd/Wg 9Kvq
vuJW+uvs+SszVc8Lw6qumFf1PWXE40e22d7Nnxetaj7TvNnNpjXaIrrOd9lA V5cu
Ks9JRPz2ukwFfO1uiu7/AFIsPPWJ0OX1RX2duSo1l2Y3xsJ50iik/A==
-----END RSA PRIVATE KEY-----
For reference here is the key converted using openssl DES,
I.e. same as above but using des instead of des3 .
openssl rsa -in ssl.key/server.key -des -out ssl.key/serverDes.key
# more ssl.key/serverDes.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-CBC,97632E1FC12295B9
oTJlAO+8Jy/HyqgUegwnd8F7QUpjBmSgqIpmFqN++NVstkMythMvo4mHPxs2 CbS2
eV3wkWsy++2/L4LOTiN3TnEjvutc6zc57XxWkCi3BVxVmc6fPm0uoZ4CeGHR y8lY
Km1XER9ruhwpgPNKS1eLPB+AZABsFnQrZ6kLBA6sBJV4h/RZv1yJKYAyhN/5 jQNH
OGRPf2O1C6G6+SGIYcW77vpGT/6E9GkogfV8fuRJJTGFhliEUtoySqNGwiky 96MY
u2+3s97H5Ayyxcn6bzVikaMYGBBBhoGH07BA7vkMe5IUPxLdS8ttxCDyBGJS Nu+r
bQfiJK9/H5ySfC8cuqmXqkthDafpd6H7+Ycrw35tRG5QLYUgvWxNoUVStO4E M8Oh
h6jIoOlXf1WIBN1FQo6o12vUSDzZVAypmi4KXlgKKISVW3GxSTA3DzByGqb2 h6s8
sn+vBOY+6llU8bnzlGv+qWdm3wdBHxmrqhWzT6tQhFKSW4zs9QCmIHull5Wm H3eM
P1RDICj7fmdR1E6uW5K6Z+YTzVAqDepgZfsQfWL0/QP23WE/beVrDnk6QnER gsU7
MfJIUn2F8MFpUf6zqhhaAa5Bctt79OTuw44dQ823O48/yy61Rq5Dy8X+KI74 /RyN
Wkr4TBdptSQrdk327zIM7V24WOs034QWA0jVDwKCTCsO+J3dndtMvLkIavRq 8srO
72uzdOEcIVqps44W2/0K4syp05qvQo1xdjbHvAxsueHuIzepYo1kRuHy4Mn+ KdBw
nhezG1HS8jB6oXozjM9FCqD7NbdJo/R0R/NQgw3XprSkXz2z1zxTvw==
-----END RSA PRIVATE KEY-----
Here's a default server key I generated through openssl independent
of the RSA application, not specifying a specific
encryption for reference:
# more ssl.key/serverDefault.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,FE82F2B632D9E58F
fUKPwuaWTnXju1Zisx/Ore1CxOmmk/wwR6MwmOXsJKgBKRxFQXc0RUJVJPua rqdN
vRkcZoY0nvRrURqe6GayxjZmn+Tl48y1RCSaVCjfHx9zsN0+T3mrbo+HmbSF I33P
Incidentally, we're using an executable program to produce the
Pass Phrase for decrypting the private key specified in the
directive:
SSLPassPhraseDialog
http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslpassphr asedialog
That's unrelated to our problem though since after we decrypt /
re-encrypt with the openssl command line tool the Pass Phrase
program starts up the server no problem.
Later, "A rainbow is only part of a circle." San Joser, CA
^ ^ Software Consultants: http://www.migration.com/
O o Permanent: m.t.thompson@ieee.org
===-o-=== My catbox: http://www.madkatz.com/
Ack! Phththpph!
2001 Clean Air Champion http://www.baaqmd.gov/pie/press/cachamp01.pdf
My True Zero Emission Vehicles (TZEV) GM EV1, Toyota RAV4 EV and
my home are powered by the 100% renewable, Zero Emissions
Electricity (ZEE) 30kWh/day Solar Electric (PV) system on my
roof which will pay for itself in about 6 years, 12% annualized
return on investment:
http://www.madkatz.com/pv/index.html
Sometimes I see gas cars... In my rearview mirror! http://www.gmev.com/
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org