Private keys generated by openssl 1.x can't be loaded

[vokac]

When I create certificate request with openssl >= 1.x.x (e.g. on SL6)

openssl req -new -keyout mykey.pem -out myreq.pem -config my.cfg

where content of my.cfg is following

default_bits            = 2048
distinguished_name      = req_distinguished_name
string_mask             = nombstr
prompt                  = no
req_extensions          = req_ext
[req_distinguished_name]
commonName             = hostname.domain.com
[req_ext]
subjectAltName          = @san
[san]
DNS.0                   = hostname.domain.com
email.0                 = [email protected]

than I'm not able to load private key using function:

org.globus.gsi.X509Credential("mycert.pem", "mykey.pem");

It is caused by different private key format produced by certificate request created by openssl >= 1.x.x New private key format is incompatible with ssl-proxies-2.0.6.jar.

It is possible to convert new key format into old format using (at least on SL6)

openssl rsa -in mykey.pem -out mykey.pem.old

and old format to new format using

openssl pkcs8 -topk8 -nocrypt -in mykey.pem -out mykey.pem.new

and than one can test this issue e.g. by

import java.io.IOException;
import org.globus.gsi.CredentialException;

public class TestSSL {
    public static void main(String[] args) throws CredentialException, IOException {
        System.out.println("Start");
        new org.globus.gsi.X509Credential("mycert.pem", "mykey.pem.old");
        System.out.println("Old key was read OK");
        new org.globus.gsi.X509Credential("mycert.pem", "mykey.pem.new");
        System.out.println("We'll not get here with current jglobus version 2.0.6");
    }
}

[vokac]

workaround to support SL6 openssl default PKCS8 key format a116471