Knowledge Search


×
 

[WebappSecure/Mykonos] JWAS complains about "Invalid private key" although the ssl key works fine on other network devices

  [KB28899] Show Article Properties


Summary:
This KB about the scenarios which make the SSL key to fail on JWAS/Webappsecure device and steps to resolve
Symptoms:
JWAS is not able to load the private SSL key of protected webserver. The error message seen is "Please correct the following validation errors. applications.<application_name>.ssl.key: Invalid private key. The file must be in PEM format, and contain a valid RSA private key."



Cause:
Below are the 3 validation checks performed by JWAS for the “Invalid Private Key” message:
- validates the key  through “openssl rsa -in <filename> -check” on the command line
- verifies that the private key begins with "-----BEGIN RSA PRIVATE KEY-----“ header
- verifies that the private key does not require a password

If any of these steps fail, the key is rejected by JWAS.

Solution:
NOTE: The supported private key format by JWAS is PKCS#1 with encoding as PEM format and not PKCS#8

So generate the private key as per supported format and verify that the key starts with "-----BEGIN RSA PRIVATE KEY-----“ header

If PKCS#8 is used, the header will be “-----BEGIN PRIVATE KEY-----“ which is incorrect.

Steps to verify:
1. Through CLI or SFTP, navigate to /etc/mykonos/certs/ and see if the ssl key is present, if they key is not loaded then its unlikely to be present
2. Transfer the ssl key to any location like /tmp and run the openssl command on JWAS CLI with below syntax replacing the key-name appropriately
“openssl rsa -in /etc/mykonos/certs/<key-name>.key –check” and notice if the output says “RSA key ok”

example:
[mykonos@JWAS-88 ~]$ openssl rsa -in /etc/mykonos/certs/3047821898.key -check
RSA key ok
writing RSA key

note that for PKCS#8 key, we will see the output “writing RSA key” and since “rsa” option is used in openssl command, the header will show up as "-----BEGIN RSA PRIVATE KEY-----“ but if “RSA key ok” message is not seen for the openssl check, then the key is not correct and validation fails.

Related Links: