LogStash::ConfigurationError: File does not contain valid private key

[kares]

This issue will happen whenever Java fails to read PKCS#8 keys created by OpenSSL tools: openssl pkcs8 -topk8 -in ./cert.key -out ./cert.key.pkcs8 -passin:foo -passout:bar

It might manifest in different forms such as :

• Java::JavaSecurity::NoSuchAlgorithmException: 1.2.840.113549.1.5.13 SecretKeyFactory not available
• Java::JavaIo::IOException: PBE parameter parsing error: expecting the object identifier for AES cipher

The first happens with OpenSSL 1.1 defaults (-v2 is the default) or when specifying -v2 aes128 (or -v2 aes256). The second due using (-v2 des3) openssl pkcs8 -topk8 -in ./cert.key -out ./cert.key.pkcs8 -passout:foobar -v2 des3

Java fails to read such keys and one needs to use a -v1 (PKCS#5 v1.5) algorithm e.g. -v1 PBE-SHA1-RC2-128

• OpenSSL 1.0 http://www.manpagez.com/man/1/pkcs8/pkcs8-1.0.2.php
• OpenSSL 1.1 https://manpages.debian.org/testing/openssl/pkcs8.1ssl.en.html#v2

---

Tested on OpenJDK 2021-11-30 2a2962fbd1 OpenJDK 64-Bit Server VM 11.0.13+8.

[kares]

This issue manifested with the CI due the Docker base image switch from:

CentOS Linux release 7.9.2009 (Core) OpenSSL 1.0.2k-fips 26 Jan 2017

to

20.04.3 LTS (Focal Fossa) OpenSSL 1.1.1f 31 Mar 2020

a default openssl pkcs8 -topk8 -in ... -out ... -passout pass:... fails in Ubuntu (due the -v2 default) a work-around is to use a v1 algorithm e.g. openssl pkcs8 -topk8 -v1 PBE-SHA1-RC2-128 -in ... -passout pass:...