01-29-2019 04:13 PM
This is a note/FYI for anyone attempting to generate encrypted private keys and CSR for use with Aruba Instant OS 6.5, using macOS 10.13 or 10.14 (High Sierra, Mojave). I spent the last few days struggling with this issue and figured I would share my experience and workaround, for anyone else who gets stumped here. These notes are in reference to this article, which is otherwise correct and helpful:
The version of OpenSSL which ships with macOS 10.13/10.14 (LibreSSL 2.6.5) generates encrypted private keys, which as far as I can tell, are not compatible with Aruba Instant OS 6.5. Uploading a PEM certificate bundle to the Instant Controller GUI containing an encrypted private key generated using OpenSSL on these macOS versions will result in the error "cert_upload_error_in_rsa_key_validation".
After many days of struggling with this error, I decided to try generating keys using the older macOS 10.12 Sierra, which ships with a different OpenSSL version/library (OpenSSL 0.9.8). These keys and subsequent certificate imported successfully to the Aruba Instant Controller GUI without error.
The difference between the two encrypted private key formats is visible. Keys generated with older versions of OpenSSL start with:
-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,XXXXXXXXXXXXXXXX
While keys generated using OpenSSL in macOS 10.13/10.14 do not contain the first two header lines for Proc-Type and DEK-Info but instead start with:
-----BEGIN ENCRYPTED PRIVATE KEY-----
Directly followed by the key.
Solved! Go to Solution.