Unable to process private key

Erinn Looney-Triggs erinn.looneytriggs at gmail.com
Tue Oct 11 18:34:49 CEST 2011


On 10/11/2011 07:30 AM, Nikos Mavrogiannopoulos wrote:
> On Tue, Oct 11, 2011 at 4:24 AM, Erinn Looney-Triggs
> <erinn.looneytriggs at gmail.com> wrote:
>> I am receiving the following error when trying to use gnutls-cli:
>> gnutls-cli --x509cafile /etc/pki/certmaster/ca.cert --x509keyfile
>> foo.example.com.pem --x509certfile foo.example.com.cert -p 514
>> bar.example.com
>> Processed 1 CA certificate(s).
>> Processed 1 client certificates...
>> *** Error loading key file: Base64 decoding error.
> I suppose it is a base64 decoding error? It could be that there are
> carriage returns, spaces or tabs in the PEM encoded file and gnutls
> 2.8.x doesn't like them.
>
>> I am able to successfully render the private key using openssl:
>> openssl rsa -noout -text -in <key>
> openssl as well as Gnutls 2.12.x are more liberal in PEM (base64) decoding.
>
>> Is their an equivalent command for gnutls?
> Upgrade to 2.12.x or use openssl to convert the file to "correct"
> encoding and then try loading again.
>
> regards,
> Nikos

Thanks, I dug into this further last night. I am no expert in this realm
but it looks like the problem lies in the fact that the key is in PKCS#8
format. With the version of gnutls I have on RHEL 6, certtool will
happily decode it automatically via certtool -k, however, gnutls-cli
will not, nor in fact will rsyslog which is what really drove me down
this path. Rsyslog simply crashes and core dumps. Rumor is that there is
a gnutls function that will automatically detect/decode pkcs#8 format,
but I have yet to find it or fully understand this situation, so I am
continuing to look. Again if you have any advice I would apprecciate it,
upgrading isn't much of an option at least in the short term, I may be
able to coax Red Hat into an upgrade but I doubt it.

-Erinn





More information about the Gnutls-help mailing list