[strongSwan] Strongswan Unable to load OpenSSL RSA Private-Key File
Rajiv Kulkarni
rajivkulkarni69 at gmail.com
Mon Nov 14 17:22:09 CET 2011
Hi Tobias
Thank you so much for all the help in solving this issue iam facing.
You are right iam getting the same error when i use the -check option for
the priv key files. I will try to see why its so? Will get back to you with
any updates/info.
The surprising thing is that when i use the same certificate and
corresponding private key file with Racoon (ikev1), they work perfectly and
iam able to establish ike/ipsec tunnels successfully using these certs.
Also when i try to verify whether the cert and the corresponding
private-key match, using the following:
openssl rsa -in <priv-key.pem> -noout -modulus | openssl sha1
openssl x509 -in <cert.pem> -noout -modulus | openssl sha1
they match perfectly as they should. But then again the private key file
does seem to have consistency check error though?
thanks & regards
rajiv
On Thu, Nov 10, 2011 at 11:56 PM, Tobias Brunner <tobias at strongswan.org>wrote:
> Hi Rajiv,
>
> When I use
>
> openssl rsa -in mfcgw1key2.pem -check -noout
>
> on my x86_64 machine with OpenSSL 0.9.8o I get
>
> RSA key error: dmp1 not congruent to d
> RSA key error: dmq1 not congruent to d
>
> which is also the reason why our libgmp based plugin doesn't like the
> keys, i.e.
>
> > 00[LIB] key integrity tests failed
>
> is logged. Actually, OpenSSL reports this error for all the keys you
> sent. So it sure looks like your keys got corrupted somehow (or never
> were valid in the first place).
>
> Regards,
> Tobias
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20111114/3f557850/attachment.html>
More information about the Users
mailing list