PolarSSL: error parsing config private key

[ungaghllalek]

Hi,

I had the same problem withkeys generated by openssl >= 1.0.0, but not with keys generated by openssl <= 0.9.X

The difference is the key format, which was RSA in the past but seems to be PKCS8 in 1.0.0. The PKCS8-format is not parsed by PolarSSL.

One solution is to generate the keys with 'openssl genrsa ....'

You can also convert your existing keys with: openssl rsa -in original.key -out converted.key

This did it for me, both on iOS and Android devices.

[rdk@krupczak.org]

Hi!

My keys were generated by pkitool script included in the easy-rsa component of OpenSSL.

This is already getting not easy.

What is the current version of PolarSSL that was used to test my key? I take it that it is not 1.0?

I'm now wondering how I can generate keys that will work with openvpn 1.0 on my ipad and also work with my existing deployed openvpn server.

Thanks,

Bobby

[rdk@krupczak.org]

Hi!

My keys are RSA in pem format.

Not sure what else I can do.

Bobby

[rdk@krupczak.org]

Hi!

Re ungaghllalek

I think I see what you mean. I more closely examined my key files for previously generated keys vs. what is generating now. What I see is:

older keys: -----BEGIN RSA PRIVATE KEY-----

new key: -----BEGIN PRIVATE KEY-----

I converted my key explicitly to rsa using your command above and will try this key out on my iPad today. I'll report my results. I'm wondering what the default key format is for openssl in later versions?

Thanks,

Bobby

[rdk@krupczak.org]

Hi!

Converting the key from the unknown format to RSA via openssl rsa command did the trick and fixed my issue. I can now openvpn into my network using OpenVPN connect on my iOS iPad.

My openvpn server is running 2.x and its interoperating just fine with the current version of OpenVPN on iOS.

Thanks,

Bobby

[davewolfs]

The method suggested by ungaghllalek works. The issue is that you cannot use a password.

Basically, password protected keys do not appear to work with this client. Everything else appears to be fine.

[rdk@krupczak.org]

Hi!

Thanks for the reply. The issue was not a password protected key.

The issue was that in more recent versions of openssl, keys are generated in some non-RSA format. I still dont know exactly what format it is in.

Once I converted from the non-RSA to RSA format private key, everything started working as planned.

Thanks,

Bobby

[davewolfs]

Is it possible to create a password protected RSA key?

[davewolfs]

Using the info above I was able to successfully create a password protected private key.

openssl rsa -in old.key -des3 -out new.key

[peterloron]

@ pjbakker @jamesyonan

Any update on this issue? Is it a problem with OpenSSL? OpenVPN? PolarSSL?

Thanks.

-pete

[rdk@krupczak.org]

Hi!

Its solved.

The forum topic contains the discussion and answers and my confirmation that it fixed the problem.

In short, newer versions of openssl generate private keys that are in some non-RSA format. The version of PolarSSL that ships with OpenVPN for iOS requires the private key to be in RSA format. Once one uses the openssl tool to convert the private key, openvpn iOS works just fine.

Thanks,

Bobby

[ronnietaylor]

Just wanted to post my findings on an almost identical error.

I've been battling with:

"PolarSSL: error parsing cert certificate"

It turns out this was a dependency issue on the Ubuntu system where I generate my keys. The solution ended up being to do 'apt-get install opensc'.

After that the recommended steps work like a charm.

I came to this solution after I realized that the client .crt file generated by ./pkitool was empty.

Then after reading the README, vars and openssl.cnf files again I couldn't shake that there was something silly missing. The repeated refs to pkcs are what jogged my brain. It wasn't until the 3rd perusal of README that I noticed it recommended installing opensc.

Not sure if my solution fits this exact case but maybe give it a go.

Best.

-- Ronnie

[hontvari]

The same issue also occurs on the latest Android client, 1.1.11 (build 44). The same workaround mentioned above does help here too, for passphrase protected keys:

Code: Select all

openssl rsa -in old.key -des3 -out new.key

[psakke]

What I see is:
older keys: -----BEGIN RSA PRIVATE KEY-----
new key: -----BEGIN PRIVATE KEY-----

I converted my key explicitly to rsa ...

I had the same error after app update on iPhone 5S. My .conf had "BEGIN RSA PRIVATE KEY", but it still didn't work. I then converted it again to RSA using `openssl rsa -in orig.key -out new.key` and it started working again.

One thing was that openssl threw an error reading the private key on my Mac OSX 10.7 (OpenSSL 0.9.8y 5 Feb 2013), but it worked on a random available OpenBSD (OpenSSL 1.0.0f 4 Jan 2012). I can't remember where I initially created the original keys, on my mac, linux or openbsd?

OpenSSL error on mac, on the key within the client config that used to work:

Code: Select all

unable to load Private Key
94428:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:/SourceCache/OpenSSL098/OpenSSL098-49.1/src/crypto/asn1/tasn_dec.c:1315:
94428:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:/SourceCache/OpenSSL098/OpenSSL098-49.1/src/crypto/asn1/tasn_dec.c:827:
94428:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:/SourceCache/OpenSSL098/OpenSSL098-49.1/src/crypto/asn1/tasn_dec.c:747:Field=n, Type=RSA
94428:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib:/SourceCache/OpenSSL098/OpenSSL098-49.1/src/crypto/asn1/d2i_pr.c:99:
94428:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:/SourceCache/OpenSSL098/OpenSSL098-49.1/src/crypto/pem/pem_pkey.c:125: