[strongSwan] Strongswan Unable to load OpenSSL RSA Private-Key File

Rajiv Kulkarni rajivkulkarni69 at gmail.com
Mon Nov 14 17:22:09 CET 2011


Hi Tobias

Thank you so much for all the help in solving this issue iam facing.

You are right iam getting the same error when i use the -check option for
the priv key files. I will try to see why its so? Will get back to you with
any updates/info.

The surprising thing is that when i use the same certificate and
corresponding private key file with Racoon (ikev1), they work perfectly and
iam able to establish ike/ipsec tunnels successfully using these certs.

Also when i try to verify whether the cert and the corresponding
private-key match, using the following:

openssl rsa -in <priv-key.pem> -noout -modulus | openssl sha1
openssl x509 -in <cert.pem> -noout -modulus | openssl sha1

they match perfectly as they should. But then again the private key file
does seem to have consistency check error though?

thanks & regards
rajiv



On Thu, Nov 10, 2011 at 11:56 PM, Tobias Brunner <tobias at strongswan.org>wrote:

> Hi Rajiv,
>
> When I use
>
>        openssl rsa -in mfcgw1key2.pem -check -noout
>
> on my x86_64 machine with OpenSSL 0.9.8o I get
>
>        RSA key error: dmp1 not congruent to d
>        RSA key error: dmq1 not congruent to d
>
> which is also the reason why our libgmp based plugin doesn't like the
> keys, i.e.
>
> > 00[LIB] key integrity tests failed
>
> is logged.  Actually, OpenSSL reports this error for all the keys you
> sent.  So it sure looks like your keys got corrupted somehow (or never
> were valid in the first place).
>
> Regards,
> Tobias
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20111114/3f557850/attachment.html>


More information about the Users mailing list