Welcome to the Linux Foundation Forum!

Unable to load CA Private key - Bad Decrypt



I'm running the following set of commands on a PC, under WSL to create a certificate.

openssl genpkey -out device.key -algorithm RSA -pkeyopt rsa_keygen_bits:2048
successfully creates device.key
openssl req -new -key device.key -out device.csr
successfully creates device.csr
openssl rand -hex 16 > db/serial
openssl ca -config subca.conf -in device.csr -out device.crt -extensions client_ext
fails: unable to load CA private key, bad decrypt
subca.conf was created on a different PC. Would this break the encryption?



  • pnts
    pnts Posts: 33

    What LAB is this?

    Can you reference a CA private key in the configuration file?
    If not, I would interpret this error as the -keyfile option to pass a CA private key is missing.

    -keyfile filename
               The private key to sign requests with.
  • martinhdbg

    Thanks for the help.

    I tried this, with device.key but get "CA certificate and CA private key do not match"

    All the subca files were created on a different pc and the whole folder structure copied to my pc. It works fine on the pc it was all created on!

    Should we create a "subca.key" file and copy that to the new pc?

  • pnts
    pnts Posts: 33

    Ok, so you can reference the CA cert and private key from config. Like so:

    [ CA_default ]
            certificate    = $dir/cacert.pem  
            private_key    = $dir/private/cakey.pem

    Is that what you're doing?
    If you want to use the CA private key and cert generated on the other computer, you should copy them. You should be able to find them from the references in the config file.

    Also, after copying them you can check if the private key and cert match like so:

    openssl x509 -noout -modulus -in cacert.pem | md5sum
    openssl rsa -noout -modulus -in cakey.pem | md5sum

    Replace cacert.pem and cakey.pem with your filenames for CA cert and private key.
    The output should be the same.


Upcoming Training