[strongSwan] Debian 10 CA. Ubuntu 18 building CRED_PRIVATE_KEY - RSA failed

[Ivan Lopez]

Hi, people.

I've a private CA based on Ubuntu 12 (OpenSSL 1.0.2h  3 May 2016) wich 
generates certificates for our roadwarriors (mostly Ubuntu 18 and 
windows 10) and works well. Certs are generated using CA.pl from openssl 
package.

I've been trying to migrate the CA to a Debian 10 (OpenSSL 1.1.1d  10 
Sep 2019) but private key generated in it are unreadable by strongswan 
in roadwarriors (Ubuntu 18, Strongswan 5.6.2-1ubuntu2, OpenSSL 1.1.1  11 
Sep 2018). May be stronger/different ciphers?. For example:

a) With original CA generated key and cert:

root at ubuntu:/etc/ipsec.d/private# pki --print -t rsa -i mper.key.pem
Private key passphrase:
   privkey:   RSA 2048 bits
   keyid:     51:....
   subjkey:   63:........

b) With new CA generated key and cert:

root at ubuntu:/etc/ipsec.d/private# pki --print -t rsa -i lmar.key.pem
Private key passphrase:
building CRED_PRIVATE_KEY - RSA failed, tried 9 builders
parsing input failed

but openssl in the same roadwarrior, shows key info pretty well:

root at ubuntu:/etc/ipsec.d/private# openssl rsa  -in lmar.key.pem -noout -text
Enter pass phrase for lmar.key.pem:
RSA Private-Key: (2048 bit, 2 primes)
modulus:
     00:c4:32:1c:64:96:70:8c:a6:16:6f:33:57:4c:7d:..........

c) In a roadwarrior Debian 10 based (strongswan 5.7.2-1). The key which 
fails in Ubuntu 18 is readed ok.

root at sisftossrv:/home/sistemas# pki --print -t rsa -i lmar.key.pem
Private key passphrase:
   privkey:   RSA 2048 bits
   keyid:     8a:.....
   subjkey:   7f:.....

Can you help me?. Is it possible my versions mix or is impractical to 
have my CA in Debian 10?.

Thanks in advance. Best regards.

Iván

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210505/90a14415/attachment.html>