SUSE Support

Here When You Need Us

"Unknown Private Key type" using mgr-ssl-cert-setup

This document (000021339) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Manager Server 4.3

Situation

When importing a new certificate/key pair using the mgr-ssl-cert-setup tool, the following error is produced:
# mgr-ssl-cert-setup -r rootCA1.pem -i subCA1-rootCA1.pem -s suma43.pem -k example.key
Unknown Private Key type

ERROR: Unable to read the server key. Is it maybe encrypted?

The private key file is not encrypted.

The contents of the first line of the key file do not have a key algorithm specified:
# head -n1 example.key 
-----BEGIN PRIVATE KEY-----


The installed version of the spacewalk-certs-tools package is greater than or equal to the following:

# rpm -q spacewalk-certs-tools 
spacewalk-certs-tools-4.3.19-150400.3.18.13.noarch

Resolution

Add the algorithm that was used to generate the key to the first and last lines of the key file:
# head -n1 example.key 
-----BEGIN RSA PRIVATE KEY-----
# tail -n1 example.key 
-----END RSA PRIVATE KEY-----


Perform the import again. It should complete without errors:

# mgr-ssl-cert-setup -r rootCA1.pem -i subCA1-rootCA1.pem -s suma43.pem -k example.key 
After changing the server certificate please execute:
$> spacewalk-service stop 
$> systemctl restart postgresql.service 
$> spacewalk-service start

As the CA certificate has been changed, please deploy the CA to all registered clients.
On salt-managed clients, you can do this by applying the highstate.

Cause

Version 4.3.19 of spacewalk-certs-tools introduced a new feature to support EC cryptography. Previous versions only allowed RSA keys. The new version has to check the type of key so it knows how to handle it. To verify the key type, the mgr-ssl-cert-setup tool reads the algorithm from the first line of the unencrypted key file. If no valid specification can be found, the tool assumes an unknown key type, producing the error.

Additional Information

As of the time of writing, only RSA and EC keys are accepted. They must have the following first lines respectively:
-----BEGIN RSA PRIVATE KEY-----
-----BEGIN EC PRIVATE KEY-----

If your key uses a different algorithm, then it may not be compatible with mgr-ssl-cert-setup, which can generate the same error messages. If this is the case, consider generating a new supported certificate/key pair.
 

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000021339
  • Creation Date: 29-Jan-2024
  • Modified Date:08-Feb-2024
    • SUSE Manager Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.