PuTTY Key Generator diz "Não foi possível carregar a chave privada (não uma chave privada)" ao carregar um arquivo PEM

3

Eu tenho um certificado ("gridcert.p12") no formato PKCS12 que estou tentando converter em um par de chaves que eu posso usar no PuTTY.

Estou usando o OpenSSL para converter o arquivo PKCS12 em um par de arquivos PEM, um para uma chave privada e outro para uma chave pública. No entanto, o PuTTY não aceita as chaves PEM. Portanto, estou tentando converter a chave PEM privada para o formato PPK por meio do PuTTY Key Generator ("puttygen.exe"). Quando eu tento carregar a chave, no entanto, o gerador de chaves PuTTY me dá a mensagem de erro titular.

Minha documentação de trabalho é colada abaixo. Qualquer idéia é muito apreciada.

# 12:45 22.04.2015 #

goal: convert "gridcert.p12" to a PuTTY-useable keypair.

first, secluded prior work to subdirectory "old attempts".
i decided to keep "gridcert.p12" as-is, rather than regenerate it.

current OpenSSL version is "OpenSSL 1.0.2 22 Jan 2015" by The OpenSSL Project.
no snapshot; just the stable release.
it's meant for a 32-bit system, i think (it's stored in directory "OpenSSL-Win32").

current download of "putty.exe" and "puttygen.exe" from Simon Tatham (http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html).
downloaded versions for Windows on Intel x86.
"puttygen.exe": beta 0.64.0.0
"putty.exe"   : beta 0.63.10188.0

using Windows 8.1 on 64-bit Acer laptop.

created mixed public/private key file with:
    13:05:21,98>C:\OpenSSL-Win32\bin\openssl pkcs12 -in gridcert.p12 -out keys.pem -nodes
    Enter Import Password:
    MAC verified OK

created individual private and public keys, respectively, with:
    13:10:40,36>C:\OpenSSL-Win32\bin\openssl pkcs12 -in gridcert.p12 -out privatekey.pem -nodes -nocerts
    Enter Import Password:
    MAC verified OK

    13:11:25,53>C:\OpenSSL-Win32\bin\openssl pkcs12 -in gridcert.p12 -out publickey.pem -nodes -nokeys
    Enter Import Password:
    MAC verified OK

both keys start with "MII" and end with "==".
the private key starts with "MIIEvwIBADANBgk...".
the public key starts with "MIIIxzCCBq+gAwI...".
the mixed-key file corroborates these observations.
both files seem to end with a new-line in both Notepad and Notepad++.
the private key has 1653 characters in its body, counting line breaks (not at the beginning or end).
the public key has 3050 characters in its body, counting line breaks (not at the beginning or end).

opening "puttygen.exe", pushing "Load", and selecting any of "privatekey.pem", "publickey.pem", and "key.pem" generates the error box "Couldn't load private key (not a private key)".
running "puttygen.exe" as administrator and trying to Load "privatekey.pem" generates the same error.

tried recreating public/private keys with no "-nodes" specifier, instead using "-clcerts":
    14:51:12,59>C:\OpenSSL-Win32\bin\openssl pkcs12 -in gridcert.p12 -out publickey_clcerts.pem -clcerts -nokeys
    Enter Import Password:
    MAC verified OK

    15:06:56,17>C:\OpenSSL-Win32\bin\openssl pkcs12 -in gridcert.p12 -out privatekey_clcerts.pem -clcerts -nocerts
    Enter Import Password:
    MAC verified OK
    Enter PEM pass phrase:
    Verifying - Enter PEM pass phrase:

"puttygen.exe" still gives the same error when i try to Load "privatekey_clcerts.pem" and "publickey_clcerts.pem".

the "_clcerts.pem" files look very similar to "privatekey.pem" and "publickey.pem".
their bodies both start with "MII" and end with "=".
i think that the new public key file is the same as the old.
the new private key file is definitely somewhat different from the old.

in "puttygen.exe", tried clicking "Conversions -> Import" and selecting "privatekey.pem", but the same error message was returned.

tried generating a PuTTY key to see if it runs into same problems.
opened "puttygen.exe" and clicked "Generate".
moved mouse in blank space to generate randomness (that is so cool).
entered a passphrase.
clicked "Save private key" and saved it as "privateputty.ppk".
clicked "Save public key" and saved it as "publicputty", no extension.
clicked "Load" and selected "privateputty.ppk".
clicked "Conversions -> Export OpenSSH key", saved it as "privateputtySSH.pem".
clicked "Load" and selected "privateputtySSH.pem".
a box prompted me for the passphrase, which i entered.
a box appeared telling me that i'd successfully imported an OpenSSH SSH-2 private key.
i clicked "Okay"  and the PuTTY Key Generator stood before me.

the PuTTY-generated private key is quite different from the OpenSSL-generated key.
it begins right with "-----BEGIN RSA PRIVATE KEY-----
"; i.e., no header information.
additionally, "privatekey.pem" indicated the key body with "-----BEGIN PRIVATE KEY-----".
instead of launching straight into the body after it's "----" intro, "privateputtySSH.pem" has some header info before its gobbledygook body.
it almost certainly doesn't start the body with "MII", but it's a bit difficult to tell where the body starts.
it terminates the body with "==", like before.
finally, it closes with "-----END RSA PRIVATE KEY-----" and a newline.
    
por Jordan 23.04.2015 / 06:12

1 resposta

5

BEGIN PRIVATE KEY marca o formato de chave privada do PKCS # 8 que o OpenSSL começou a usar recentemente, enquanto o PuTTY espera apenas o formato 'tradicional' / 'PEM' BEGIN RSA PRIVATE KEY .

Alimente a chave em openssl rsa para convertê-la no formato antigo.

As duas chaves começam com MII… , porque é exatamente assim que uma sequência ASN.1 é iniciada, quando codificada em Base64, mas PKCS # 8 adicionalmente tem o tipo de chave dentro , em vez de depender do cabeçalho PEM" BEGIN ... ". Você pode ver as diferenças usando openssl asn1parse .

    
por 23.04.2015 / 08:00