Knowledge Search


[WebappSecure/Mykonos] JWAS complains about "Invalid private key" although the ssl key works fine on other network devices

  [KB28899] Show Article Properties

This KB about the scenarios which make the SSL key to fail on JWAS/Webappsecure device and steps to resolve
JWAS is not able to load the private SSL key of protected webserver. The error message seen is "Please correct the following validation errors. applications.<application_name>.ssl.key: Invalid private key. The file must be in PEM format, and contain a valid RSA private key."

Below are the 3 validation checks performed by JWAS for the “Invalid Private Key” message:
- validates the key  through “openssl rsa -in <filename> -check” on the command line
- verifies that the private key begins with "-----BEGIN RSA PRIVATE KEY-----“ header
- verifies that the private key does not require a password

If any of these steps fail, the key is rejected by JWAS.

NOTE: The supported private key format by JWAS is PKCS#1 with encoding as PEM format and not PKCS#8

So generate the private key as per supported format and verify that the key starts with "-----BEGIN RSA PRIVATE KEY-----“ header

If PKCS#8 is used, the header will be “-----BEGIN PRIVATE KEY-----“ which is incorrect.

Steps to verify:
1. Through CLI or SFTP, navigate to /etc/mykonos/certs/ and see if the ssl key is present, if they key is not loaded then its unlikely to be present
2. Transfer the ssl key to any location like /tmp and run the openssl command on JWAS CLI with below syntax replacing the key-name appropriately
“openssl rsa -in /etc/mykonos/certs/<key-name>.key –check” and notice if the output says “RSA key ok”

[mykonos@JWAS-88 ~]$ openssl rsa -in /etc/mykonos/certs/3047821898.key -check
RSA key ok
writing RSA key

note that for PKCS#8 key, we will see the output “writing RSA key” and since “rsa” option is used in openssl command, the header will show up as "-----BEGIN RSA PRIVATE KEY-----“ but if “RSA key ok” message is not seen for the openssl check, then the key is not correct and validation fails.

Related Links: