On Dec 22, 2019, at 12:08 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Dec 20, 2019, at 6:27 PM, Coy Hile <coy.hile@coyhile.com> wrote:
And, for posterity’s sake, I found the solution here. The server.pem file created by the bootstrap script looks thus:
``` Bag Attributes localKeyID: ... issuer=... -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- Bag Attributes more garbage... -----BEGIN ENCRYPTED PRIVATE KEY----- ... ——END ENCRYPTED PRIVATE KEY—— ```
Hmm... that's terrible. I think OpenSSL changed that a while back. It's a fairly stupid thing to do, IMHO. If I want the PEM file, I don't care about extra garbage being printed.
Once I moved the private key to the top of the file (and removed the Bag attributes information (which I haven’t seen before)), ending up with the server.pem looking thus:
``` ——BEGIN ENCRYPTED PRIVATE KEY----- ... ——END ENCRYPTED PRIVATE KEY----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- ```
the world is good to go.
That's good to hear. It's not clear why OpenSSL reads the file one mode but not the other.
Alan DeKok.
I’ll check later in the week when I’m off to see whether something needs tweaked in the bootstrap and send a PR your way if so. I agree it’s pretty terrible, but it is OpenSSL after all. Said only slightly tongue-in-cheek. -- Coy Hile coy.hile@coyhile.com