Graylog 3.2 PKCS8 Encrypted Key Issue

Ran in to an issue configuring HTTPS on Graylog 3.2 when it comes to the PKCS8 key. When starting the server, receive an error message in log for JerseyService:

“Caused by: ObjectIdentifier() – data isn’t an object ID (tag = 48)”

I’ve come across numerous other posts from earlier this year for the same issue in 3.2. The solution the majority of the time was to re-run the openssl conversion and create a plain unencrypted PKCS8 key.

From a security standpoint - is this safe? Wouldn’t it be preferred to use an encrypted key instead? Does anyone know of a better workaround or fix to this issue?


1 Like

First and final bump, to see if anyone has any thoughts or suggestions about this. This seems important and it’s concerning that this has been avoided for many months.

what steps did you have done to create the key?

Is this a self signed certificate? How is that created?

I followed the provided documentation to create a self-signed certificate. I followed all commands and instructions. Others have done the same and have had the same issue:

I understand, from seeing many of your previous comments on other posts, that this is not preferred, and that it’s safer to use an issued certificate from a CA. I would argue that some people in certain environments do not have access to a CA and that a self-signed cert is their only option. I have not seen posts from previous versions of Graylog with this issue, at least not at the frequency that the current version has experienced.

There are similar problems on all of this post. The only solution is to remove the password from the key.
So that should be a fundamental problem.

It makes no different if it’s self signed certificate or not. I don’t use a self signed certificate, and hat the same problem.

1 Like

I can confirm this bug. Java 8 and 11 cannot handle most (or all?) encrypted pkcs8 keys.
I’m currently working on a fix.


I also found a workaround (see issue comment)

1 Like

Thank you for this Information, I can go with this workaround until a fix will be there. :slight_smile:

1 Like

Thank you @mpfz0r @x-wolverine-x @jan. I appreciate it!

Hello everybody,

I have wasted a lot of time with this problem, and when I had finally discover how to proceed and go to open a post about this to comment my way to proceed I found this thread.

The problem when used encrypted pkcs8 certs:
Caused by: ObjectIdentifier () - data isn’t an object ID (tag = 48)

Just use the plain text file generated with:
openssl pkcs8 -in pkcs5-plain.pem -topk8 -nocrypt -out pkcs8-plain.pem

Remember to change http_tls_key_file and comment http_tls_key_password:
http_tls_key_file = / your-cert-path / pkcs8-plain.pem
Comment: # http_tls_key_password =

You can make your key encrypted with:
openssl pkcs8 -v1 PBE-SHA1-3DES -topk8 -in pkcs5-plain.pem -out file-encrypted.pem -passout pass: yourpasswordhere

You should also check that the certificate files have read permissions and belong to graylog user:
chown graylog: graylog cert-files.

Best Regards.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.