Solved: Cisco Meeting Server pki unlock invalid key length

RITT · ‎03-28-2025

Hi there,

I have been using Appendix A of this guide to generate a Private key and Certificate signing request (CSR). The signed cert and private key are then SFTPd onto CMS no problem and used as per the guide. Thought it would be a good idea to password encrypt the private key so I removed the -nodes switch from the openssl command.

openssl req -out webbridge3.csr -new -newkey rsa:2048 -keyout webbridge3.key

Once the CSR is signed the private key and certificate are SFTPd into CMS I use the following CMS MMP command to unlock the encrypted private key.

pki unlock webbridge3.key

I get the error "invalid key length"

Has anybody had any success unlocking encrypted private keys? If so what am I doing wrong? Many thanks.

RITT · ‎03-31-2025

Going to answer my own question. I had forgotten that FIPs mode was switched on across the CMS cluster. You can check this by typing "fips" at the CMS MMP command line.

I was only using a nine charcter passphrase to encrypt the private key. It seems that with FIPs mode the passphrase must be between ten and 20 characters. The FIPs standard is quite clear on this. Using the correct length passphrase cured the problem for me.

Hopefully this answer will stop anyone one else making this mistake and wasting a couple of days scratching their heads!!

View solution in original post

RITT · ‎03-31-2025

Going to answer my own question. I had forgotten that FIPs mode was switched on across the CMS cluster. You can check this by typing "fips" at the CMS MMP command line.

I was only using a nine charcter passphrase to encrypt the private key. It seems that with FIPs mode the passphrase must be between ten and 20 characters. The FIPs standard is quite clear on this. Using the correct length passphrase cured the problem for me.

Hopefully this answer will stop anyone one else making this mistake and wasting a couple of days scratching their heads!!