SSL Error: can not load private keys

saloni512 · March 9, 2022, 3:07am

Hi Support Team,

I am trying to configure SSL in Open source TYK API gateway. The certificate used was issued by internal authority. We got pfx file ( its server specific certificate, certificate CN is having DNS of the server ) then we converted the pfx into the cert.pem and key.pem file and configured in TYK as below and restarted the server:

“http_server_options”: {
“use_ssl”: true,
“certificates”: [
{
“domain_name”: “*.yoursite.com”,
“cert_file”: “./new.cert.cert”,
“key_file”: “./new.cert.key”
}
]
}

Command used to convert the pfx to cert.pem and key.pem are:
openssl pkcs12 -in filename.pfx -nocerts -out key.pem
openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem

When I am trying to access api definition I am getting error:
SSL has no peer certificate for the requested DNS name

Then I tried to run ./tyk command and I could see ssl related error:
error: load keys: tls: failed to parse private keys

The certificate generated is the server specific cert. If I generate selfsigned cert using openssl and configure it, its working fine.

As in actual environment we cant use self signed certificate, can you Please suggest how should we generate the certificate and use. Please note the certificate is issued by internal authority.

Please help as its blocking our production live.

Olu · March 9, 2022, 10:40am

Hi @saloni512, the error from the ./tyk command means that there is a problem with the private key. Could you validate if the certificate and key are a pair?

One other problem could be if the root and intermediate certificates issued by the internal authority are not installed on the host. So maybe you could confirm that.

saloni512 · March 9, 2022, 2:10pm

Could you validate if the certificate and key are a pair?: Yes key are pair

One other problem could be if the root and intermediate certificates issued by the internal authority are not installed on the host. So maybe you could confirm that: How can I check whether root or intermediate certs are installed or not?

How I am supposed to install the certs on TYK server, can you Please suggest?

Pete · March 9, 2022, 3:27pm

Hi,

The key file cannot be parsed. It must not be in standard pem format or it would be possible for tyk to parse it. It’s not safe for you to show us the contents of the file since it is your private key but here is a private key file which I’ve just generated.

Here I’m checking that my private key and certificate match

$ openssl x509 -noout -modulus -in cert.pem | openssl md5
(stdin)= 3e9338fd0876bb7917f0f811ea3cf84a
$ openssl rsa -noout -modulus -in key.pem | openssl md5
(stdin)= 3e9338fd0876bb7917f0f811ea3cf84a

You can see that the md5 sums match so they are a pair.

How I am supposed to install the certs on TYK server, can you Please suggest?

We do offer some documentation on adding certificates to docker images however a quick google on adding certificates to your particular situation should provide a number of instructions on how it is done. It’s not done within tyk, but within your operating environment. This is so situational that it’s best for us not to be prescriptive.

So maybe you could confirm that: How can I check whether root or intermediate certs are installed or not?

Again, this is not within tyk but depends entirely on your operating environment. It is a common query in many environments though so google has lots of answers.

Cheers,
Pete