Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Is there a way to generate a CSR for the ESA 5000 without generating a new private key?

Hi all,

Is there a way to generate a CSR for the ESA 5000 without generating a new private key? I've tried to do so with a command like:

.\openssl.exe req -new -key "path\to\key\_Digicert-key.pem" -nodes -out company.csr -subj "/C=FOO/ST=BAR/L=FOO/O=BAR LLC/CN=mailsec.company.com" 

But get

"unable to load Private Key

34359836736:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:612:

34359836736:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:crypto/pkcs12/p12_decr.c:62:

34359836736:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:crypto/pkcs12/p12_decr.c:93:

34359836736:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib:crypto/pem/pem_pkey.c:88:"

It's asking for a passphrase and I'm not seeing a record of it anywhere, so that may be the stumbling block, or could it be something else?

Category: Email Security Appliances
Reply

Answers

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    This is really more of an openssl question than Sonicwall specific.


  • wrinkswrinks Newbie ✭

    That's fair...

    I've seen that link as well as a few other Stack Exchange-like answers. However, when I try this command and a few different ones I still keep getting those 'unable to load private key' errors. I was able to verify the correct passphrase for the .pem file, but I think it's still encrypted or something as I keep getting that error even with a openssl rsa -outform der -in file.pem -out file.key command, which I though could help convert it.

    Put in a ticket with Sonicwall and they said they'll help me generate a new cert. Not sure if this means just using the GUI or something to generate a new private key too which I was trying to avoid but we'll see.

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    Support will probably just make you generate a new CSR with new private on the GUI. They are too eager to do things according to the book. Many times I've questioned what they were doing during a remote session and have had to tell them to stop.

    Is your keyfile the correct format? Are you passing the correct format(s) as a command to OpenSSL?

    Disclaimer: Im no OpenSSL expert but have used it plenty.

  • wrinkswrinks Newbie ✭

    @TKWITS That's what I'm afraid of as well...

    Here's some iterations of what I've tried. I'm still a bit new to OpenSSL so bear with me:



    .\openssl req -new -key foo.pem -nodes -out foo.csr -subj "/C=US/ST=AK/L=Foo/O=Bar LLC/CN=foo.bar.com"


    .\openssl x509 -x509toreq -in foo.crt" -signkey "foo.pem" -out foo.bar.com-new.csr


    ## convert pem to key, or at least I thought it would?

    .\openssl rsa -outform der -in foo.pem -out foo.bar.com.key


    All of these commands fail when the same error:

    unable to load Private Key

    34359836736:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:612:

    34359836736:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:crypto/pkcs12/p12_decr.c:62:

    34359836736:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:crypto/pkcs12/p12_decr.c:93:

    34359836736:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib:crypto/pem/pem_pkey.c:88:


    So, I'm guessing there is an issue with the formatting, or because it's a pem... Though I thought the last command could be used to convert between these formats? Not sure though.

Sign In or Register to comment.