Dariusz Gadomski
2018-05-07 14:03:32 UTC
Hi,
I'm trying to use scepclient with an encrypted private key as follows:
ipsec scepclient --url <url> -k 2048 -f -p <mypassphrase> --dn '<my-dn>' \
--subjectAltName dns=<hostname> \
--in pkcs1=/etc/ipsec.d/private/privatekey.pem \
--out cert=/etc/ipsec.d/certs/myCert.der --in cacert-enc=caCert-ra-1.der \
--in cacert-sig=caCert-ra-2.der --debug 4
Passphrase for that key is in /etc/ipsec.secrets:
: RSA privatekey.pem "<passphrase>"
Charon says it's ok:
charon: 05[CFG] loaded RSA private key from '/etc/ipsec.d/private/privatekey.pem'
My private key is a pem AES-256 (although I also tried 3DES with same results)
encrypted key:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,<my-IV>
(...)
-----END RSA PRIVATE KEY-----
What I get is:
(...)
file content is not binary ASN.1
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,<my-IV>
-----END RSA PRIVATE KEY-----
building CRED_PRIVATE_KEY - RSA failed, tried 7 builders
error: no RSA private key available
For unencrypted keys it works without any issues.
From what I saw in the debugger the flow launches the pem plugin:
pem_builder.c -> pem_to_bin function.
According to my understanding it managed to detect it's encrypted and tries to
get a passphrase for that key:
enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr,
SHARED_PRIVATE_KEY_PASS, NULL, NULL);
while (enumerator->enumerate(enumerator, &shared, NULL, NULL))
(...)
But the loop is never executed even once, so the credmgr seems not to
have any credentials stored.
What's the correct way of passing private key passphrases to scepclient?
Does it use the information in /etc/ipsec.secrets or is there another
way?
Thank you,
Dariusz
I'm trying to use scepclient with an encrypted private key as follows:
ipsec scepclient --url <url> -k 2048 -f -p <mypassphrase> --dn '<my-dn>' \
--subjectAltName dns=<hostname> \
--in pkcs1=/etc/ipsec.d/private/privatekey.pem \
--out cert=/etc/ipsec.d/certs/myCert.der --in cacert-enc=caCert-ra-1.der \
--in cacert-sig=caCert-ra-2.der --debug 4
Passphrase for that key is in /etc/ipsec.secrets:
: RSA privatekey.pem "<passphrase>"
Charon says it's ok:
charon: 05[CFG] loaded RSA private key from '/etc/ipsec.d/private/privatekey.pem'
My private key is a pem AES-256 (although I also tried 3DES with same results)
encrypted key:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,<my-IV>
(...)
-----END RSA PRIVATE KEY-----
What I get is:
(...)
file content is not binary ASN.1
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,<my-IV>
-----END RSA PRIVATE KEY-----
building CRED_PRIVATE_KEY - RSA failed, tried 7 builders
error: no RSA private key available
For unencrypted keys it works without any issues.
From what I saw in the debugger the flow launches the pem plugin:
pem_builder.c -> pem_to_bin function.
According to my understanding it managed to detect it's encrypted and tries to
get a passphrase for that key:
enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr,
SHARED_PRIVATE_KEY_PASS, NULL, NULL);
while (enumerator->enumerate(enumerator, &shared, NULL, NULL))
(...)
But the loop is never executed even once, so the credmgr seems not to
have any credentials stored.
What's the correct way of passing private key passphrases to scepclient?
Does it use the information in /etc/ipsec.secrets or is there another
way?
Thank you,
Dariusz