Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[WebappSecure/Mykonos] JWAS complains about "Invalid private key" although the ssl key works fine on other network devices

0

0

Article ID: KB28899 KB Last Updated: 07 Apr 2014Version: 1.0
Summary:
This KB about the scenarios which make the SSL key to fail on JWAS/Webappsecure device and steps to resolve
Symptoms:
JWAS is not able to load the private SSL key of protected webserver. The error message seen is "Please correct the following validation errors. applications.<application_name>.ssl.key: Invalid private key. The file must be in PEM format, and contain a valid RSA private key."



Cause:
Below are the 3 validation checks performed by JWAS for the “Invalid Private Key” message:
- validates the key  through “openssl rsa -in <filename> -check” on the command line
- verifies that the private key begins with "-----BEGIN RSA PRIVATE KEY-----“ header
- verifies that the private key does not require a password

If any of these steps fail, the key is rejected by JWAS.

Solution:
NOTE: The supported private key format by JWAS is PKCS#1 with encoding as PEM format and not PKCS#8

So generate the private key as per supported format and verify that the key starts with "-----BEGIN RSA PRIVATE KEY-----“ header

If PKCS#8 is used, the header will be “-----BEGIN PRIVATE KEY-----“ which is incorrect.

Steps to verify:
1. Through CLI or SFTP, navigate to /etc/mykonos/certs/ and see if the ssl key is present, if they key is not loaded then its unlikely to be present
2. Transfer the ssl key to any location like /tmp and run the openssl command on JWAS CLI with below syntax replacing the key-name appropriately
“openssl rsa -in /etc/mykonos/certs/<key-name>.key –check” and notice if the output says “RSA key ok”

example:
[mykonos@JWAS-88 ~]$ openssl rsa -in /etc/mykonos/certs/3047821898.key -check
RSA key ok
writing RSA key

note that for PKCS#8 key, we will see the output “writing RSA key” and since “rsa” option is used in openssl command, the header will show up as "-----BEGIN RSA PRIVATE KEY-----“ but if “RSA key ok” message is not seen for the openssl check, then the key is not correct and validation fails.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search