CA PAM not accepting Self-signed Certificate + Key files

Document ID : KB000126692
Last Modified Date : 11/02/2019
Show Technical Document Details
Issue:
An error is received when trying to upload a Certificate + Key file to PAM. Due to the error the certificate is not loaded into PAM successfully.

The following information & symptoms characterize this issue:
- A Self-signed certificate is being loaded into PAM
- The Private Key was generated using RSA
- The Private Key and Certificate files have been combined in a text editor into a single file
- The combined Certificate + Key file has been saved with "LF" type line endings
- All header and footers for the certificate & key still exist in the combined file
- When trying to Upload the combined file using the option "Certificate with Private Key" under Security > Certificates > Upload, one of the errors below are seen

Possible Related Errors:
PAM-CM-0194: Unable to upload file
PAM-CM-0195: The key file for the certificate <certificate file name> is missingĀ 
PAM-CM-0201: Verification Error Can not open private key file
Environment:
Any PAM Version
Cause:
PAMs source code is expecting that RSA based Private Keys start with "-----BEGIN RSA PRIVATE KEY-----" header and have a matching footer. It was found that in some cases RSA based Private Keys are missing the "RSA" part of the header (and footer).

Specifically, different versions of OpenSSL seem to create private key files with different resulting key headers/footers. For example when running the command below it would be create a new 2048-bit RSA Key in every version of OpenSSL, but it was observed that different versions end up with different headers.

Sample command:
openssl req -new -x509 -newkey rsa:2048 -sha256 -nodes -keyout rsakey.key -days 365 -out cert.pem

Older versions (tested with v0.9.8zf) DID include RSA:
-----BEGIN RSA PRIVATE KEY-----
... BASE64 key info ...
-----ENDĀ RSA PRIVATE KEY-----

Newer versions (tested with v1.0.1h & v1.0.2q) did NOT include RSA:
-----BEGIN PRIVATE KEY-----
... BASE64 key info ...
-----END PRIVATE KEY-----


However in all tested versions, using the following command always resulted in a file that properly includes RSA in the header/footer as expected by PAM:
openssl genrsa 2048
Resolution:
There are a few options to resolve this:
  1. (Easiest) Edit the Certificate + Key file to add RSA to the header & footer of the key as seen in the Cause section, then try re-uploading it.
  2. (Recommended) Generate a CSR from PAM and use the CSR to create the certificate. This way PAM already has a copy of the key and there should be no problems uploading the certificate.
  3. Generate a new Key first using the command "openssl genrsa". This should properly include RSA in the header/footer already. Then use that key with the "-signkey" option instead of "-newkey" when creating the certificate.