I am trying to upload/update a custom CA for SSL decryption (signing and validation), but it fails with the following message:
"Hochladen der Zertifizierungsstelle ist fehlgeschlagen. Ungültiger privater Schlüssel oder ungültiges Kennwort"
I know the passphrase for the key is correct, because it works if I upload it on the certificates page, just not on the ca page.
If I try to upload the certificate without the key the error is:
"Die Zertifizierungsstellen-Datei ist möglicherweise beschädigt"
I have compared the old and new crt file using this command on a linux workstation in my homelab:
diff -u <(openssl x509 -noout -text -in /tmp/old.pem) <(openssl x509 -noout -text -in /tmp/new.pem)
The only differences are the expected date, serial number and public key.
The article used: docs.sophos.com/.../index.html
Details to the certificate:
- Sub-CA of internal root CA Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Extended Key Usage: critical OCSP Signing X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 Signature Algorithm: sha256WithRSAEncryption
What are the requirements for a ca certificate? Unfortunately the article is very thin here.
Edited TAGs
[edited by: Erick Jan at 3:20 AM (GMT -8) on 6 Jan 2025]
