We're using RSA bsafe sslc22 libraries to generate a PKCS#8 encryypted RSA private key for Apache 2.0.39 mod_ssl using openssl 0.9.6e. We can use the key in cleartext but when we encrypt it Apache can't decrypt it.
The interesting thing is that the openssl rsa command can read the key file, but Apache 2.0.39 based on the same openssl 0.9.6e can't use the key file. Using openssl to read / decrypt the private key and then re-encrypting using the same passphrase produces a key that Apache can use. I tried this using both des and des3 encryption. Both work. Any ideas on how to get Apache to accept the original key the RSA routines or tweak the RSA code to produce a key Apache can use? Thanks! I'd guess the issue is with the encryption algorithm or the header lines? The RSA key is RSA private key encoded with PKCS#8 using SHA1 digest with DES-CBC in PEM format (RFC 1421 common headers and trailers, not the one that allows for variations.) Here's the encrypted private key as written by the RSA bsafe sslc22 application: # more ssl.key/server.key -----BEGIN ENCRYPTED PRIVATE KEY----- MIICoTAbBgkqhkiG9w0BBQowDgQIfkS8bOd+Y2kCAgPoBIICgK/Y7bTvu2Ja8Dez kyb+rnxc6FEllLema2ZBziinAvCQ7/hjpUuQh35F+Vv+ZOPFRNfvJ1Saz7xyl/Oq LIZp1fSyPwWAVHSBp+CgxXwvxDNcFAQOoiIzOMo8zF9+w0ZLPTuvVg6zPwB0r6Ga 1e0K8EngdxUvIO6+2G2ihR0iU8GufArScGFJ+5eFVn+8qgrbfAeMoaCENIX9j7uL 92jd+x76XLa9rkDzHUYbVj6EcPm4QlheE2Xwqexqj62k/q4DOcKqTHBrsj8RER4H FYV89UPEIZwOta4xJ/7iezqJxWN+GinmNCRpNWPWpocEr1xXULYNFoiwRgpatpvx Rm2yo2G5aG+7CI1XiCJS8JzSpqOZGEc2+OqwvFmIMf0V8wHVcwCaSak5qtcn09ia YaipcdjEWpZuh1UwxFubqao8nRyhc1+0dPg8sGLEMXnoHo2g+hckN/TPZHxx0fM1 Z3RMJUzDX9tARdPRZZLiOxl2M6KjtItsVt78T7gDTfTvn/oqtLkEOsQNuN9aqfbT lUUEG/OC9iHscug5QXrmokU/k5jLIiq+3P72VYUYCsgv7hn7SdKSzW1/PxqB96vE xawXbDcBecx8lJFhhuJ8TOLyVGYLsG+DTKU+vep6hDniJqIw0aB37drd2mVPY2ow PTV94uvAQyew/QPrWM75uol794euEyNHvyvO5tY7vc8Ns2iYIlGQAvw7A57jKSV4 Cq7Z2eNrFUT7D6K4LS/Vn+Rq4wAfeGydPHmag7sHvTGphf2C98NZxlGFkcd2Ksj8 LLCsYKNMxjrqgPcJehnf5NmVijkw8VC8gu6oeL2uVpMemkPeyy8rr9gFhS8OC1RS j5TQ8MM= -----END ENCRYPTED PRIVATE KEY----- Here'e the same key after decrypting and re-encrypting using the same passphrase using the following openssl command, I.e. # openssl rsa -in ssl.key/server.key -des3 -out ssl.key/serverDes3.key # more ssl.key/serverDes3.key -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,730497D7F6F3D777 4rfgE6BO16NTOF2q+/HJAfG8g7LDwJ2QUIU/qBeNTV0oVCpl9XqpWfmxw9CnCoYe WLnzPGsxMLC/ZDwy2KAUcIHVrZkN2TodY/B6trcdnRMcgx8LR097sZ0vRm10bnqG a2M8BMmq+ie44YK9OdhTkT5s1M4RdLvMnEqqncmza2igBtjqgU0b7eqiQuSxJBFA 2oH71+TTwOP480v+yj14kKorjfTax8ImJBfdOkNNE7k/ZLr4Qwn60VbmaUFoIa2f jqQ2QaLBXLL2Jmwgd5IlYIhput4o8yGjIaytOQYlE+UIbA8XCb2ahtvV0h/mgAs7 IAAonb2h4Js/6FswtIEfSx4U5xEdvv6REZuiLIQN7N5FyIsv3gder1GJ6KmzPGD/ JdrFKYd+klgiKchNFnkfeJyrRufmAuOHhLTKnzM0Kt33UylWsA6+n+wOrQUfOGNE Cv0PRKmqtKLavCEMEB4PRvyO5M0SmezS4lmYV/InYYU66hheuTGkAQxndqUMot1j sa7Ch4xI2K5I5z0tJrxoPVQ8k9joM6HNzlLgkwOTtHq567w2tlDNoCNQ1s5cSkBB TDcWcmn13T+v9Z+Muz4JDQm9rGybSSpwhablgHALJx/ZEm3v3DTnoZsEKXcPLmXz rYrKujhRRHMJPjvYJJTIcdeVf2WYmVB9FnsS3sfOKnhwlcsryUP05UYhd/Wg9Kvq vuJW+uvs+SszVc8Lw6qumFf1PWXE40e22d7Nnxetaj7TvNnNpjXaIrrOd9lAV5cu Ks9JRPz2ukwFfO1uiu7/AFIsPPWJ0OX1RX2duSo1l2Y3xsJ50iik/A== -----END RSA PRIVATE KEY----- For reference here is the key converted using openssl DES, I.e. same as above but using des instead of des3 . openssl rsa -in ssl.key/server.key -des -out ssl.key/serverDes.key # more ssl.key/serverDes.key -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-CBC,97632E1FC12295B9 oTJlAO+8Jy/HyqgUegwnd8F7QUpjBmSgqIpmFqN++NVstkMythMvo4mHPxs2CbS2 eV3wkWsy++2/L4LOTiN3TnEjvutc6zc57XxWkCi3BVxVmc6fPm0uoZ4CeGHRy8lY Km1XER9ruhwpgPNKS1eLPB+AZABsFnQrZ6kLBA6sBJV4h/RZv1yJKYAyhN/5jQNH OGRPf2O1C6G6+SGIYcW77vpGT/6E9GkogfV8fuRJJTGFhliEUtoySqNGwiky96MY u2+3s97H5Ayyxcn6bzVikaMYGBBBhoGH07BA7vkMe5IUPxLdS8ttxCDyBGJSNu+r bQfiJK9/H5ySfC8cuqmXqkthDafpd6H7+Ycrw35tRG5QLYUgvWxNoUVStO4EM8Oh h6jIoOlXf1WIBN1FQo6o12vUSDzZVAypmi4KXlgKKISVW3GxSTA3DzByGqb2h6s8 sn+vBOY+6llU8bnzlGv+qWdm3wdBHxmrqhWzT6tQhFKSW4zs9QCmIHull5WmH3eM P1RDICj7fmdR1E6uW5K6Z+YTzVAqDepgZfsQfWL0/QP23WE/beVrDnk6QnERgsU7 MfJIUn2F8MFpUf6zqhhaAa5Bctt79OTuw44dQ823O48/yy61Rq5Dy8X+KI74/RyN Wkr4TBdptSQrdk327zIM7V24WOs034QWA0jVDwKCTCsO+J3dndtMvLkIavRq8srO 72uzdOEcIVqps44W2/0K4syp05qvQo1xdjbHvAxsueHuIzepYo1kRuHy4Mn+KdBw nhezG1HS8jB6oXozjM9FCqD7NbdJo/R0R/NQgw3XprSkXz2z1zxTvw== -----END RSA PRIVATE KEY----- Here's a default server key I generated through openssl independent of the RSA application, not specifying a specific encryption for reference: # more ssl.key/serverDefault.key -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,FE82F2B632D9E58F fUKPwuaWTnXju1Zisx/Ore1CxOmmk/wwR6MwmOXsJKgBKRxFQXc0RUJVJPuarqdN vRkcZoY0nvRrURqe6GayxjZmn+Tl48y1RCSaVCjfHx9zsN0+T3mrbo+HmbSFI33P <snip>. Incidentally, we're using an executable program to produce the Pass Phrase for decrypting the private key specified in the directive: SSLPassPhraseDialog http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslpassphrasedialog That's unrelated to our problem though since after we decrypt / re-encrypt with the openssl command line tool the Pass Phrase program starts up the server no problem. Later, "A rainbow is only part of a circle." San Joser, CA ^ ^ Software Consultants: http://www.migration.com/ O o Permanent: [EMAIL PROTECTED] ===-o-=== My catbox: http://www.madkatz.com/ Ack! Phththpph! 2001 Clean Air Champion http://www.baaqmd.gov/pie/press/cachamp01.pdf My True Zero Emission Vehicles (TZEV) GM EV1, Toyota RAV4 EV and my home are powered by the 100% renewable, Zero Emissions Electricity (ZEE) 30kWh/day Solar Electric (PV) system on my roof which will pay for itself in about 6 years, 12% annualized return on investment: http://www.madkatz.com/pv/index.html Sometimes I see gas cars... In my rearview mirror! http://www.gmev.com/ ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
