Problem when converting a pkcs #12 file to a private key and certificate pair


(Christian Steinkopf) #1

Hello,

I am new to this forum and I am not a expert in graylog or linux so forgive me if this problem is basic stuff.

Following documentation: http://docs.graylog.org/en/2.4/pages/configuration/https.html to enable https on graylog web interface I run into problems when running the command below.

openssl pkcs12 -in keystore.pfx -nokeys -out graylog-certificate.pem

139860564162200:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:157:

I am creating the certificates before enabling tls though the server config file. I hope this is the right order of things.

Any help welcome
-triscint


(Jochen) #2

Is this the complete output of the given OpenSSL command?
Are you sure that there is no passphrase set for the PKCS12 key store (the PFX file)?

Other than that, I can only refer you to Google:
https://www.google.de/search?q=openssl+pkcs12+“ASN1_get_object%3Aheader+too+long”


(Christian Steinkopf) #3

root@ubuntu-graylog:
/etc/graylog/server# openssl pkcs12 -in keystore.pfx -nokeys -out graylog-certificate.pem
139974431352472:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:157:
root@ubuntu-graylog:/etc/graylog/server#

That is the full output of the command. I got to this point just by copy and pasting most commands in the refferenced configuration. Did I screw up a possible command before this one that would lead me to this point?


(Christian Steinkopf) #4
root@ubuntu-graylog:/etc/graylog/server# openssl req -x509 -days 365 -nodes -newkey rsa:2048 -config openssl-graylog.cnf -keyout pkcs5-plain.pem -out cert.pem
Generating a 2048 bit RSA private key
..+++
..........+++
writing new private key to 'pkcs5-plain.pem'
root@ubuntu-graylog:/etc/graylog/server# openssl pkcs8 -in pkcs5-plain.pem -topk8 -nocrypt -out pkcs8-plain.pem
root@ubuntu-graylog:/etc/graylog/server# openssl pkcs8 -in pkcs5-plain.pem -topk8 -out pkcs8-encrypted.pem -passout pass:secret
root@ubuntu-graylog:/etc/graylog/server# openssl pkcs12 -in keystore.pfx -nokeys -out graylog-certificate.pem
Error opening input file keystore.pfx
keystore.pfx: No such file or directory
root@ubuntu-graylog:/etc/graylog/server# touch keystore.pfx
root@ubuntu-graylog:/etc/graylog/server# ls
cert.pem      log4j2.xml  openssl-graylog.cnf  pkcs8-encrypted.pem  server.conf
keystore.pfx  node-id     pkcs5-plain.pem      pkcs8-plain.pem
root@ubuntu-graylog:/etc/graylog/server# openssl pkcs12 -in keystore.pfx -nokeys -out graylog-certificate.pem
139860564162200:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too                 long:asn1_lib.c:157:

Is the problem with -passout pass:secret:
Was that supposed to be an actual password that I configure?


(Jochen) #5

You’re mixing up a few things. If you don’t have and existing PKCS#12 key store (PFX file) from which you want to export a private key and certificate for Graylog, you don’t have to run these commands.

An empty file (touch keystore.pfx) isn’t a valid PKCS#12 key store.


(Christian Steinkopf) #6

okay. I see through context clues now that should have been obvious. That is what I get for just going down the page and copying commands into putty. Just double checking, besides creating a self-signed certificate and then enabling the appropriate server.conf settings is there any other steps I need to take to get https to work? not including optional steps like disabling certain algorithms.


(Jochen) #7

You’ll have to add your custom certificates to the JVM trust store as described in the HTTPS chapter of the Graylog documentation.


(system) #8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.