`katello-certs-check` against a custom SSL certificate with non-RSA Private Key fails with an `:error:0607907F:digital envelope routines:EVP_PKEY_get1_RSA:expecting an rsa key:p_lib.c:287:`

Solution Verified - Updated 9 Aug 2024

Environment

Red Hat Satellite 6.14 and below.

Issue

katello-certs-check against a custom SSL certificate with non-RSA Private Key fails with the following error:

Checking to see if the private key matches the certificate: :error:0607907F:digital envelope routines:EVP_PKEY_get1_RSA:expecting an rsa key:p_lib.c:287:

Resolution

This content is not included.Bug 2255005 - [RFE] Support EC (and other non-RSA) keys for authentication on Red Hat Satellite 6.x has been raised to add support for non-RSA private keys.

For more KB articles/solutions related to Red Hat Satellite 6.x SSL Certificates Issues, please refer to the Consolidated Troubleshooting Article for Red Hat Satellite 6.x SSL Certificates Issues

Root Cause

According to the following snippet from /usr/sbin/katello-certs-check, katello-certs-check only checks for RSA keys:

.
.
function check-priv-key () {
    printf "Checking to see if the private key matches the certificate: "
    CERT_MOD=$(openssl x509 -noout -modulus -in $CERT_FILE)
    KEY_MOD=$(openssl rsa -noout -modulus -in $KEY_FILE)
    if [[ "$CERT_MOD" != "$KEY_MOD" ]]; then
        error 2 "The $KEY_FILE does not match the $CERT_FILE"
    else
        success
    fi
}
.
.

SBR

SysMgmt

Product(s)

Red Hat Satellite

Components

Category

Secure

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.