10-20-2010 09:18 AM
All:
This is driving me bloody crazy...
So we have a number of certificates that we have exported from an ACE module and need to have imported to these CSM-SSL modules. Problem is, I can't for the life of me get it to accept the keys. It continually gives me "Invalid PEM Header"...
Has anyone encountered this?
Solved! Go to Solution.
10-20-2010 09:35 AM
Hey Buddy,
My best guess according to your description is that the keys on your ACE modules were uploaded in the decrypted format, CSM-S or SSLM will only accept encrypted keys.
You can encrypt the key using OpenSSL, just copy the text into a notepad and put it into the bin folder (C:/OpenSSL/bin) and encrypt it using this command:
OpenSSL> rsa -in decrypted_key.pem -out encrypted_key.pem -des3
New encrypted key should be found within the same folder.
HTH
__ __
Pablo
10-20-2010 10:26 AM
Hmmm weird,
Are you using the quit command after copying/pasting public and private key?
SSLM-1(config)#crypto key import rsa Mykey general-purpose exportable terminal
% Enter PEM-formatted public General Purpose key or certificate.
% End with a blank line or "quit" on a line by itself.
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEdkj*ajknJKLD+-FS
IVqL+K2woD9VI+XX97fOrAvJdESj/o9VpUhuRSKm3CQAVTec8ymJPcv+6tjuOgf2
1/uGnNKV4xsIV/3GUQIDAQAB
-----END PUBLIC KEY-----
quit
% Enter PEM-formatted encrypted private General Purpose key.
% End with "quit" on a line by itself.
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,B4E43A7E35A05EBD
qARvas9eklaxZhmlBTWNr86GM+w3+DSrnJP5ZsEMR9tvSX76LKUXL8hJjeXeL+Xu
NZacCeGgFs8jZdTZSrUxi7F+W+ruMyp3cfInp5jkg38PsqgcEeQNYEL570ya5jji
EQyiN+KygjRU0ZmFbRgxHkxJUdhyl0xMLOuNQYFZs2WTBBxoqQSa+A==
-----END RSA PRIVATE KEY-----
quit
% Key pair import succeeded.
10-20-2010 09:35 AM
Hey Buddy,
My best guess according to your description is that the keys on your ACE modules were uploaded in the decrypted format, CSM-S or SSLM will only accept encrypted keys.
You can encrypt the key using OpenSSL, just copy the text into a notepad and put it into the bin folder (C:/OpenSSL/bin) and encrypt it using this command:
OpenSSL> rsa -in decrypted_key.pem -out encrypted_key.pem -des3
New encrypted key should be found within the same folder.
HTH
__ __
Pablo
10-20-2010 10:10 AM
Thanks... that's what I'd kind of thought before, and had used openssl to encrypt (3des) the key and tried it before, and then it gave me "Invalid PEM Boundary"....
Any thoughts?
10-20-2010 10:26 AM
Hmmm weird,
Are you using the quit command after copying/pasting public and private key?
SSLM-1(config)#crypto key import rsa Mykey general-purpose exportable terminal
% Enter PEM-formatted public General Purpose key or certificate.
% End with a blank line or "quit" on a line by itself.
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEdkj*ajknJKLD+-FS
IVqL+K2woD9VI+XX97fOrAvJdESj/o9VpUhuRSKm3CQAVTec8ymJPcv+6tjuOgf2
1/uGnNKV4xsIV/3GUQIDAQAB
-----END PUBLIC KEY-----
quit
% Enter PEM-formatted encrypted private General Purpose key.
% End with "quit" on a line by itself.
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,B4E43A7E35A05EBD
qARvas9eklaxZhmlBTWNr86GM+w3+DSrnJP5ZsEMR9tvSX76LKUXL8hJjeXeL+Xu
NZacCeGgFs8jZdTZSrUxi7F+W+ruMyp3cfInp5jkg38PsqgcEeQNYEL570ya5jji
EQyiN+KygjRU0ZmFbRgxHkxJUdhyl0xMLOuNQYFZs2WTBBxoqQSa+A==
-----END RSA PRIVATE KEY-----
quit
% Key pair import succeeded.
10-20-2010 10:41 AM
Hey... thanks... you know, I was just doing it incorrectly.
Was trying to import via:
crypto ca import MyCert pem terminal "password"
Thanks for all your help... you know even CISCO TAC case has been open for about 2 weeks (was just escalated to me today)... they should've caught this... but I'm used to it, which is why I posted here..
THANKS AGAIN!!!
10-20-2010 01:45 PM
Awesome! Glad to be of help =)
Have a good one!
__ __
Pablo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide