Reset Search



5802 - Importing PEM encoded certificate produces "ERROR: Does not appear to be a valid RSA private key in PEM format"

« Go Back


Last Modified Date11/27/2017 2:54 PM
This article describes an issue where the error message of "ERROR: Does not appear to be a valid RSA private key in PEM format
" appears when importing a PEM encoded certificate.
Problem or Goal
When importing PEM encoded (Base64) certificate into virtual Traffic Manager, the following error message may appear:
ERROR: Does not appear to be a valid RSA private key in PEM format

When verifying private/public key pair, the following error message may appear:
$ZEUSHOME/admin/bin/cert --check --key private.pem --in public.pem
Error reading key file:Private Key parse error: 9: Was looking for integer
This issue occurs due to the certificate is encoded in PKCS#8 format.
To resolve this issue, perform the following steps:
  1. To verify the key format open the private key. If the key is starts with "BEGIN PRIVATE KEY", then the file is in PKCS#8 format
  1. To convert this in PKCS#1 format, use below command:
openssl rsa -in oldkey.pem -out newkey.pem

The new RSA key (newkey.pem) should start with:


Background Information

There are mutliple ways of creating RSA keys using openssl. Below are few examples:

  1. using genrsa. Traditional approach to create RSA private key, still works but now superceded by genpkey. To create key using genrsa use below command:
openssl genrsa -des3 -out privateKey.pem 2048

This creates RSA key in PEM format with PKCS#1 encoding which works with Stingray. This adds header/footer (-----BEGIN RSA PRIVATE KEY-----/-----END RSA PRIVATE KEY-----)

  1. using new utility 'genpkey'. This was introduced in newer version of openssl (i.e. version 1.0.0+) and its default format (if is PKCS#8. For example, below command creates key in PKCS#8 format.
openssl genpkey -algorithm RSA -out privateKey.pem

This adds header/footer (-----BEGIN PRIVATE KEY-----/-----END PRIVATE KEY-----)

  1. using 'req' with '-new'. As an eample, below command creates RSA private key along with certificate signing request (csr):
openssl req -new -newkey rsa:2048 -nodes -keyout privateKey.pem -out request.csr

If the -key option is not used with req -new, it will generate a new RSA private key in PKCS#10 format with header (-----BEGIN PRIVATE KEY-----)

In the above examples, only key created with option 1 works with Stingray and the other two formats in (2 and3) needs to be converted to traditional format.

There is an open feature request (RFE#SR19268) for PKCS#8 support.

Related Links
Attachment 1 
Created ByVenkataKondaReddy Palem



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255