PolarSSL: error parsing config private key

[davewolfs]

The method suggested by ungaghllalek works. The issue is that you cannot use a password.

Basically, password protected keys do not appear to work with this client. Everything else appears to be fine.

[rdk@krupczak.org]

Hi!

Thanks for the reply. The issue was not a password protected key.

The issue was that in more recent versions of openssl, keys are generated in some non-RSA format. I still dont know exactly what format it is in.

Once I converted from the non-RSA to RSA format private key, everything started working as planned.

Thanks,

Bobby

[davewolfs]

Is it possible to create a password protected RSA key?

[davewolfs]

Using the info above I was able to successfully create a password protected private key.

openssl rsa -in old.key -des3 -out new.key

[peterloron]

@ pjbakker @jamesyonan

Any update on this issue? Is it a problem with OpenSSL? OpenVPN? PolarSSL?

Thanks.

-pete

[rdk@krupczak.org]

Hi!

Its solved.

The forum topic contains the discussion and answers and my confirmation that it fixed the problem.

In short, newer versions of openssl generate private keys that are in some non-RSA format. The version of PolarSSL that ships with OpenVPN for iOS requires the private key to be in RSA format. Once one uses the openssl tool to convert the private key, openvpn iOS works just fine.

Thanks,

Bobby

[ronnietaylor]

Just wanted to post my findings on an almost identical error.

I've been battling with:

"PolarSSL: error parsing cert certificate"

It turns out this was a dependency issue on the Ubuntu system where I generate my keys. The solution ended up being to do 'apt-get install opensc'.

After that the recommended steps work like a charm.

I came to this solution after I realized that the client .crt file generated by ./pkitool was empty.

Then after reading the README, vars and openssl.cnf files again I couldn't shake that there was something silly missing. The repeated refs to pkcs are what jogged my brain. It wasn't until the 3rd perusal of README that I noticed it recommended installing opensc.

Not sure if my solution fits this exact case but maybe give it a go.

Best.

-- Ronnie

[hontvari]

The same issue also occurs on the latest Android client, 1.1.11 (build 44). The same workaround mentioned above does help here too, for passphrase protected keys:

Code: Select all

openssl rsa -in old.key -des3 -out new.key

[psakke]

What I see is:
older keys: -----BEGIN RSA PRIVATE KEY-----
new key: -----BEGIN PRIVATE KEY-----

I converted my key explicitly to rsa ...

I had the same error after app update on iPhone 5S. My .conf had "BEGIN RSA PRIVATE KEY", but it still didn't work. I then converted it again to RSA using `openssl rsa -in orig.key -out new.key` and it started working again.

One thing was that openssl threw an error reading the private key on my Mac OSX 10.7 (OpenSSL 0.9.8y 5 Feb 2013), but it worked on a random available OpenBSD (OpenSSL 1.0.0f 4 Jan 2012). I can't remember where I initially created the original keys, on my mac, linux or openbsd?

OpenSSL error on mac, on the key within the client config that used to work:

Code: Select all

unable to load Private Key
94428:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:/SourceCache/OpenSSL098/OpenSSL098-49.1/src/crypto/asn1/tasn_dec.c:1315:
94428:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:/SourceCache/OpenSSL098/OpenSSL098-49.1/src/crypto/asn1/tasn_dec.c:827:
94428:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:/SourceCache/OpenSSL098/OpenSSL098-49.1/src/crypto/asn1/tasn_dec.c:747:Field=n, Type=RSA
94428:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib:/SourceCache/OpenSSL098/OpenSSL098-49.1/src/crypto/asn1/d2i_pr.c:99:
94428:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:/SourceCache/OpenSSL098/OpenSSL098-49.1/src/crypto/pem/pem_pkey.c:125: