Is there a way to generate a CSR for the ESA 5000 without generating a new private key?
wrinks
Newbie ✭
Hi all,
Is there a way to generate a CSR for the ESA 5000 without generating a new private key? I've tried to do so with a command like:
.\openssl.exe req -new -key "path\to\key\_Digicert-key.pem" -nodes -out company.csr -subj "/C=FOO/ST=BAR/L=FOO/O=BAR LLC/CN=mailsec.company.com"
But get
"unable to load Private Key
34359836736:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:612:
34359836736:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:crypto/pkcs12/p12_decr.c:62:
34359836736:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:crypto/pkcs12/p12_decr.c:93:
34359836736:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib:crypto/pem/pem_pkey.c:88:"
It's asking for a passphrase and I'm not seeing a record of it anywhere, so that may be the stumbling block, or could it be something else?
Answers
This is really more of an openssl question than Sonicwall specific.
That's fair...
I've seen that link as well as a few other Stack Exchange-like answers. However, when I try this command and a few different ones I still keep getting those 'unable to load private key' errors. I was able to verify the correct passphrase for the .pem file, but I think it's still encrypted or something as I keep getting that error even with a openssl rsa -outform der -in file.pem -out file.key command, which I though could help convert it.
Put in a ticket with Sonicwall and they said they'll help me generate a new cert. Not sure if this means just using the GUI or something to generate a new private key too which I was trying to avoid but we'll see.
Support will probably just make you generate a new CSR with new private on the GUI. They are too eager to do things according to the book. Many times I've questioned what they were doing during a remote session and have had to tell them to stop.
Is your keyfile the correct format? Are you passing the correct format(s) as a command to OpenSSL?
Disclaimer: Im no OpenSSL expert but have used it plenty.
@TKWITS That's what I'm afraid of as well...
Here's some iterations of what I've tried. I'm still a bit new to OpenSSL so bear with me:
.\openssl req -new -key foo.pem -nodes -out foo.csr -subj "/C=US/ST=AK/L=Foo/O=Bar LLC/CN=foo.bar.com"
.\openssl x509 -x509toreq -in foo.crt" -signkey "foo.pem" -out foo.bar.com-new.csr
## convert pem to key, or at least I thought it would?
.\openssl rsa -outform der -in foo.pem -out foo.bar.com.key
All of these commands fail when the same error:
unable to load Private Key
34359836736:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:612:
34359836736:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:crypto/pkcs12/p12_decr.c:62:
34359836736:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:crypto/pkcs12/p12_decr.c:93:
34359836736:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib:crypto/pem/pem_pkey.c:88:
So, I'm guessing there is an issue with the formatting, or because it's a pem... Though I thought the last command could be used to convert between these formats? Not sure though.