Clovertech

https protocol error: unable to set private key file

Clovertech Forums Read Only Archives Cloverleaf Cloverleaf https protocol error: unable to set private key file

  • Creator
    Topic
  • May 5, 2009 at 1:43 pm #50845
    Jim Kosloskey
    Participant

      All,

      Cloverleaf 5.6 on AIX 5.3.

      I am attempting to do a POST.

      I have been told I need to use a Certificate provided by the receiving system. I take it to mena I must then use the ‘Client’ mode and have configured that way.

      It appears the ‘Client’ mode also requires that i have a Private Key.

      I have built that using openssl genrsa.

      However, when I attempt to POST I get an error:

      Detailed error:unable to set private key file: ‘the name of my key file here’ type PEM

      (by the way, it does not matter what I set the genrsa options to the type above is always PEM).

      followed by:

      Curl errCode:58 Curl error: problem with the local SSL certificate.

      The above is clearly not very explanatory. There really are not that many options to generating the Private key in genrsa but I certainly could have hosed up one of the options.

      The errors seem to indicate there is an issue with the Private key – anybody have any clue what it is trying to tell me?

      email: jim.kosloskey@jim-kosloskey.com 29+ years Cloverleaf, 59 years IT - old fart.

    • Creator
      Topic
    Viewing 5 reply threads
    • Author
      Replies
      • May 5, 2009 at 5:40 pm #67745
        Rob Abbott
        Keymaster

          I think the private key needs to be in .key format not .pem — the following command will convert from pem to key:

          openssl rsa -in privkey.pem -out my-server.key

          Rob Abbott
          Cloverleaf Emeritus

        • May 5, 2009 at 7:14 pm #67746
          Jim Kosloskey
          Participant

            Rob,

            Thanks for the suggestion.

            However, after running the command you indicated and retrying I get the same error (I changed the NetConfig to reflect the new private key file name, etc. and stopped/started the thread).

            Is it possible the server to which I am trying to connect is rejecting the certificate/key combination or is this likely to be occurring on Cloverleaf(R) at the time of the POST?

            By the way, I acquired the certificate I am using from the server (United HealthCare) and it has a Public Key RSA 1024 bits. It looks to be a Verisign certificate.

            email: jim.kosloskey@jim-kosloskey.com 29+ years Cloverleaf, 59 years IT - old fart.

          • May 5, 2009 at 7:22 pm #67747
            David Barr
            Participant

              Jim Kosloskey wrote:

              Rob,

              Is it possible the server to which I am trying to connect is rejecting the certificate/key combination or is this likely to be occurring on Cloverleaf(R) at the time of the POST?

              I think your error is a Cloverleaf error.  I don’t think that the server is receiving your key.

              Quote:

              By the way, I acquired the certificate I am using from the server (United HealthCare) and it has a Public Key RSA 1024 bits. It looks to be a Verisign certificate.

              You need a private key if you’re doing client authentication.  Public keys of website are used to authenticate the server (them) to the client (you).

              I think you need to find out if they want you to generate a client cert for authentication, or if you simply need to validate their server certifcate when you connect.

            • May 5, 2009 at 7:41 pm #67748
              Jim Kosloskey
              Participant

                Dave,

                Thanks for the input.

                Now the server (United Healthcare) folks say they are not authenticating anything. Although they indicate I need to use a Certificate.

                I suspect I should be able to use the ‘ClientAnon’ mode in the HTTPS configuration then.

                I have tried that in the past with them with no success but I guess I will try again.

                Maybe it is just working with this receiving system, but at this point,  I cannot for the life of me see how folks can complain about SNA if they have ever worked with SSL.

                email: jim.kosloskey@jim-kosloskey.com 29+ years Cloverleaf, 59 years IT - old fart.

              • May 5, 2009 at 10:04 pm #67749
                Charlie Bursell
                Participant

                  Jim:

                  I just go to the HTTPS site in question using IE and if asked accept their certificate

                  Then click on View -> Security Report and you get a pop-up.  Click on View Certificate > Detail -> Copy to file

                  Now you have a copy you know works.  I just named mine .cer

                • May 6, 2009 at 1:20 am #67750
                  Jim Kosloskey
                  Participant

                    Charlie,

                    Thanks.

                    I previously did that to get their Certificate. That was when they were telling me I needed a key. Now they are saying I don’t.

                    At least using ‘ClientAnon’ Mode in the HTTPS config is getting me into their site (no longer getting errors on the Private Key since I am not using one) – but since they cannot or won’t tell me what headers, etc. they need I am having to practically reverse engineer everything.

                    Oh well I guess this will keep me busy.

                    email: jim.kosloskey@jim-kosloskey.com 29+ years Cloverleaf, 59 years IT - old fart.

                • Author
                  Replies
                Viewing 5 reply threads
                • The forum ‘Cloverleaf’ is closed to new topics and replies.