On Wed, 2005-08-31 at 10:57 +0100, Chris Covell wrote: > Hello there, > > can you do some tests please ? > > Using OpenSSL can you dump the CA private key using the CA password ? If > you cann't, then this is some sort of problem with the key pem file (are > you sure that it is the same as the original, i.e. is a binary copy, I > am thinking of cr/lf type issues). > > Are you sure that you copied the CA private key, chain and certificate > files to the correct place when you recovered your backup ? > > Chris... > > Jorge I. Davila L. wrote: <snip> Thank you for the response. I've been working with Jorge on this problem. We work together for both this client and on the related open source ISCS network security management project (http://iscs.sourceforge.net).
This smells like a lost password problem especially since we cannot unlock it from the command line using openssl except that it affects three separate CAs using two different passwords and, although we cannot sign certificates, we can sign the configuration using the CA private key (/ca Configuration/SignTheConfiguration). The key has not been copied or restored. Has anyone experienced the CA key password suddenly failing without change but only for signing requests and not configurations? If we go to var/crypto/keys and attempt "openssl rsa -in cakey.pem -check" (we've also tried with the full pathname), after entering the passphrase we receive: unable to load Private Key 4029:error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt:evp_enc.c:509: 4029:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:423: We are assuming this is a password problem. We have copied the key to a different computer and tried the same procedure with openssl versions 0.9.7f and 0.9.7a. 0.9.7a is the version on the CA. We receive the same error when we try to unlock the backup copy of the key. A diff between the production and back up keys shows no differences. We have three CAs running on this one Xen virtual machine built on Fedora Core 3 each with their own file system under /usr/local/OpenCA. CA1 and CA3 use passphrase1 and CA2 uses passphrase2 to protect their private keys. The passphrases contain the characters [EMAIL PROTECTED] as well as caps, lower case and numbers. There are no spaces. Here is a brief history. Create CAs and associated RAs, Pubs and Nodes. Issue several PKCS#12 packages Backup all Issue one additional PKCS#12 package on CA2 using passphrase2 Update the kernel (xen 2.0.5 to xen 2.0.7) and expand one of the logical volumes and its file system Revert to the old kernel - problem remains This leads us to several conclusions: 1) We know the key in back up worked with passphrase2 because it was used to generate a subsequent cert with no system changes in between. 2) The production system changes have not produced the problem as the pre-change, backed up key has the same problem. 3) The key has not been corrupted since there is no diff from the back up key and the back up key successfully signed a certificate. I was ready to conclude that we had used a third passphrase for all the CAs and forgotten it (that would explain why both passphrases fail and why we can't unlock it using openssl) until we saw that we could sign the configuration with the CA key and the assumed passphrase!!!! This has become a major production issue for us. Can anyone explain what we are seeing? Better yet, does anyone know how to fix it?? Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 [EMAIL PROTECTED] Financially sustainable open source development http://www.opensourcedevel.com ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
