Unable to import SSL Key using "key_import_from_pem"

That error message comes from our ssl libraries when trying to load the content of the supplied key. Are you returning the same string as the one returned from the key_export_to_pem() method or are you storing it and reloading it later. Could it be there are extra newlines or something else in it that is different from the original value returned? Without more details it's hard for us to diagnose any issues. Also, your dev environment will help us try to reproduce your issue as each client environment behaves a bit differently when debugging.

 

 

Any code snippets you can supply would help us also.

 

 

-Joe

I using C.

 

Code to gen and retrieve the key:

 

 

ManagementKeyCertificateKey[] keys = new ManagementKeyCertificateKey[1];

 

 

keys[0] = new ManagementKeyCertificateKey();

 

keys[0].id = "test";

 

keys[0].key_type = ManagementKeyCertificateKeyType.KTYPE_RSA_PRIVATE;

 

keys[0].bit_length = 1024;

 

keys[0].security = ManagementKeyCertificateSecurityType.STYPE_NORMAL;

 

 

ManagementKeyCertificateX509Data[] x509Data = new ManagementKeyCertificateX509Data[1];

 

 

x509Data[0] = new ManagementKeyCertificateX509Data();

 

x509Data[0].common_name = "test.com";

 

x509Data[0].country_name = "US";

 

x509Data[0].division_name = "Test";

 

x509Data[0].locality_name = "Test";

 

x509Data[0].organization_name = "Test";

 

x509Data[0].state_name = "Utah";

 

 

string[] saCsrIds = new string[1];

 

saCsrIds[0] = "test";

 

 

mng.key_generate (ManagementKeyCertificateManagementModeType.MANAGEMENT_MODE_DEFAULT, keys, x509Data, true, true);

 

 

string[] saKey = mng.key_export_to_pem(ManagementKeyCertificateManagementModeType.MANAGEMENT_MODE_DEFAULT, saCsrIds);

 

foreach(string sKeyText in saKey)

 

{

 

sReturnKeyText = sKeyText;

 

}

 

 

Code used to import key:

 

 

string[] KeyIds = new string[1];

 

KeyIds[0] = "test";

 

 

string[] saKeyText = new string[1];

 

saKeyText[0] = sReturnKeyText;

 

 

mng.key_import_from_pem(ManagementKeyCertificateManagementModeType.MANAGEMENT_MODE_DEFAULT, KeyIds, saKeyText, true);

 

 

 

 

 

The key is stored in a database and pulled out when it is needed for the import. This does not seem to be a problem since if i gen the key on one BigIP and delete that key then let my app iport that key it is fine. The only time i see the error is if i try to import the key to a different BigIP.

 

 

Thanks for the quick response.

So, it looks like you passed in the create_optional_cert_csr flag in key_generate() to enable creation of a certificate and certificate request (CSR). This will generate a key and certificate on device 1.

 

 

You then are downloading the key from device one and it works when you upload it to device 1. But when you try to upload it to device 2 you are getting this error. Could it be that the key is tied to the certificate created in the key_generate() command? I'm not super familiar with the underlying libraries in this code so I'll check on this but that is my initial thought. When I get an update I'll let you know.

 

 

-Joe

I am puting the key and cert on device 2 to them in sync. If there is a better way to do this let me know.

Use the archive operations, which will grab keys, certs, csrs...

 

 

Loc

I am not seeing anything the api that corresponds with what you have mentioned. Maybe you could post a sample or point me in the right direction.

You can use one of the following methods:

 

 

export_all_to_archive_file

 

import_all_from_archive_file

 

export_all_to_archive_stream

 

import_all_from_archive_stream

 

 

export_to_archive_file

 

import_from_archive_file

 

export_to_archive_stream

 

import_from_archive_stream

 

 

Loc

using export_to_archive_stream & import_from_archive_stream came back with the same results (Exception caught in Management::KeyCertificate::import_from_archive_stream()

 

Exception: Common::OperationFailed

 

primary_error_code : -7 (0xFFFFFFF9)

 

secondary_error_code : 0

 

error_string : error:0906D06C:PEM routines:PEM_read_bio:no start line).

 

 

I also did some further testing and generated a key using openssl if I encrypt the key using a password I get the following error;

 

Management::KeyCertificate::key_import_from_pem()

 

Exception: Common::OperationFailed

 

primary_error_code : -7 (0xFFFFFFF9)

 

secondary_error_code : 0

 

error_string : error:04065072:rsa

 

routines:RSA_EAY_PRIVATE_DECRYPT:padding check failed.

 

 

I am guessing this is because it does not have the correct password,

 

unfortunately I have not found a way to pass a password in for the key.

 

 

If I do not encrypt the key the key imports but then shows the size as 0

 

bits, and thus cannot use the key.

 

 

Let me know if you have any other ideas or if you have even been able to duplicate what i am trying to do.

 

 

Thanks,

 

Please let me know if this is proper place to be recieving support for this issue. I had the following case C294649 open with the support department but they closed it and told me i had to post my problems here. Please let me know how to resolve this issue.

 

 

Thanks,

venafi,

 

 

I'll try to take a further look at this but it will be difficult for us to test your exact environment as we are volunteers from the dev organization and typically don't have access to additional hardware with test environments for each version that a customer may be running.

 

 

Just to get this right:

 

 

1) Create key on device 1 - OK

 

2) Export key on device 1 - OK

 

3) Import key on device 1 - OK

 

4) Import key on device 2 - ERROR

 

 

You mentioned that you are importing both the certificates and keys to the backup device but you didn't include code for that. Are you calling the cert commands to export and import to and from pem format as well? I guess this really doesn't matter if you are using the export all commands that Loc pointed out.

 

 

I'll spend some time today trying to recreate and get you an update.

 

 

Sorry about the confusion with support, we'll do our best to work this out.

 

 

-Joe