TLS/SSL Microsoft CA and OpenSSL

Hi Everyone,

I wanted to see if anyone has seen this strange issue before. We have a Microsoft CA setup, and when I export the cert in PFX format and convert it to PEM using OpenSSL, it will not work if I use any OpenSSL version in the 1.1.X train. I found an old server with OpenSSL 1.0.2g and it worked perfect. There were no changes to the PFX or the commands used, the only difference was the OpenSSL version.

I did notice that the newer versions of OpenSSL have slightly different formatting than the older versions. Anyways, it’s working now. I’m wondering if this is a known bug, or has anyone else seen this behavior?

Using the newer versions of OpenSSL graylog fails to start and creates the error:

Suppressed: com.google.common.util.concurrent.ServiceManager$FailedService: JerseyService [FAILED]
Caused by: java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag = 48)

In both scenarios I used the same PFX and the following commands:

$ openssl pkcs12 -in keystore.pfx -nokeys -out graylog-certificate.pem
$ openssl pkcs12 -in keystore.pfx -nocerts -out graylog-pkcs5.pem
$ openssl pkcs8 -in graylog-pkcs5.pem -topk8 -out graylog-key.pem

he @samhut101

did you have a password for you key? if yes - current java versions with certain ssl versions do not work in Graylog with a key. We are working on a fix for that:

Hi @jan

Yes, in both scenarios I used the same password to encrypt the key. would it be possible to update the documentation so other users don’t get stuck on this like I did? I spent days trying to figure this out and eventually made a lucky guess to use an older version of OpenSSL.

Thanks

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.