I wanted to see if anyone has seen this strange issue before. We have a Microsoft CA setup, and when I export the cert in PFX format and convert it to PEM using OpenSSL, it will not work if I use any OpenSSL version in the 1.1.X train. I found an old server with OpenSSL 1.0.2g and it worked perfect. There were no changes to the PFX or the commands used, the only difference was the OpenSSL version.
I did notice that the newer versions of OpenSSL have slightly different formatting than the older versions. Anyways, it’s working now. I’m wondering if this is a known bug, or has anyone else seen this behavior?
Using the newer versions of OpenSSL graylog fails to start and creates the error:
Suppressed: com.google.common.util.concurrent.ServiceManager$FailedService: JerseyService [FAILED] Caused by: java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag = 48)
In both scenarios I used the same PFX and the following commands:
$ openssl pkcs12 -in keystore.pfx -nokeys -out graylog-certificate.pem $ openssl pkcs12 -in keystore.pfx -nocerts -out graylog-pkcs5.pem $ openssl pkcs8 -in graylog-pkcs5.pem -topk8 -out graylog-key.pem