OSUP1060 | Locating, generating, and format of the Private Key File for SSL Decryption

Document Number: OSUP1060
Product: Observer v12.0 or greater
Date: 04/20/2007
Title: Locating, generating, and format of the Private Key File for SSL Decryption

Keywords: Private Key File, RSA, SSL, Decryption, https

SYMPTOM:
Unable to locate the Private Key File used for SSL Decryption or an error is received stating “Error Loading the Private Key File!”

REASONS:
The Private Key File is improperly formatted, encrypted, or you are unable to locate the Private Key File.

SOLUTIONS:
Location of the Private Key File differs for each web server application. For web servers not listed below, please refer to the supporting documents for your web server application.

Apache Web Server
Perform a search for the file with the name server.key. Check the format of the server.key file to ensure it is not an encrypted Private Key File containing the “Proc-Type: ENCRYPTED” header (see Private Key File Format below). If this file is encrypted, the file must be decrypted using the openssl command line tool and the password that was used to encrypt the Private Key File. This utility can be obtained by following an appropriate link as follows :

http://www.openssl.org/

or for Win32 applications
http://www.google.com/search?source=ig&hl=en&q=Download+Win32+OpenSSL&btnG=Google+Search

The file can be decrypted using the following command
(choose the appropriate locations for the input and output files):
openssl rsa –in server.key –out UnencryptedKey.key
[enter passphrase]

Windows IIS Web Server
Windows does not contain a searchable Private Key File. The key file must be extracted from the website Server Certificate. The Server Certificate must contain the Private Key File. Use the following Microsoft Support document to export your Server Certificate and Private Key to a single .pfx file: http://support.microsoft.com/kb/232136 (How to back up a server certificate in Internet Information Services)

Once you have successfully exported the .pfx (PKCS #12) file you must obtain the openssl utility. This utility can be obtained by following an appropriate link as follows:

http://www.google.com/search?source=ig&hl=en&q=Download+Win32+OpenSSL&btnG=Google+Search

With a valid .pfx Server Certificate backup file and the openssl utility, the following command should be used (choose the appropriate locations for the input and output files): openssl pkcs12 –nodes –in c:\mycertificate.pfx –out c:\server.key

Private Key File Format
The Private Key File should contain text with the following format:
-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQD7uhNymd6WCORqH0rpd5zs4FEwCX2JrKtm0dmTf44SVaGvFLF1
vakeOYP/sFs4aa2UaN0FcbFaS2w3IZWWum4sCtqtvb8Zil+13VCdyR+2SRx9GMbu
SnoL/6FI86m+C0gHq6g0ILoiTAJnY+MOEC2bwbMykzljPVUOXE9IEG0A0QIDAQAB
AoGAFQOYogWEVmQRpWZNW6YXnJKxVGBGcZrPiDrWfgC0/ITXhYUlt12I47QLd+ni
-----END RSA PRIVATE KEY-----

An encrypted Private Key File may have the following format, which indicates that the Private Key File obtained contains an RSA Private Key, where the text for the key itself is encrypted. A file in this format will generate an error dialog stating “Error Loading the Private Key File!”
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,7BC....

JHQ8U0pDbeFM9h2jZSmiugxdqOa2q/MiX43Xa4Es6nKmzu9oI/ZfpIdAHi8qwtsD
mZ5bQRIXD9AXeIRy+0tG2ibUaphQEsvI995PWUsh8N9dVumsqykmMXSwND7tkbHB
iO/VVSAAD9bV3dbl5nbMwMnPG+YC3S90GAK4ZRIqrHRQ94fd/ZAvP8kV9ilwCmX6
swFlNBLGuKFllJ9qkyr+OOQqulrAyZAB2UThGCJJetELFtV4mLmIaHdgDIcUqpJp==
-----END RSA PRIVATE KEY-----

feedback terms/privacy corporate info