BlueOnyx 5209R – Issues with importing signed certificates

Importing signed certificates on BlueOnyx has always been somewhat of a challenge and it’s not well documented. The gist of it is that the certificate you want to import needs to consist of both the certificate and the corresponding private key, and it must have an extension that BlueOnyx understands (*.crt or *.cert works). Even so, my attempt to import a signed certificate from RapidSSL failed with a message stating that the imported certificate did not contain the correct private key.

BlueOnyx - Certificate import error

The imported certificate does not contain the private key for this certificate.

I knew for a fact that there were no issues with either the key or the certificate, and if I manually uploaded them, everything worked as expected. However, bypassing the GUI on a BlueOnyx system is never a good idea due to the underlying architecture.

Why it doesn’t work

Generating a certificate signing request (CSR) with the command openssl req -new -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr will create a PKCS #8 formatted private key as expected. While BlueOnyx has no issues with using PKCS #8 formatted private keys, it does fail to identify them during the import stage.

PKCS #1
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----

PKCS #8
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----

The following code lifted from /usr/sausalito/sbin/ssl_import.pl contains the code responsible for extracting the private key from the imported certificate:

for my $part (@lines) {
  if ($part =~ /BEGIN RSA PRIVATE KEY/) {
      # hard code because of simpletext ie 5.1.3 issues
      # under OS X
      $key_part .= "-----BEGIN RSA PRIVATE KEY-----\n";
      $in_key = 1;
  }
  elsif ($part =~ /-----BEGIN PRIVATE KEY-----/) {
      # hard code because of simpletext ie 5.1.3 issues
      # under OS X
      $key_part .= "-----BEGIN RSA PRIVATE KEY-----\n";
      $in_key = 1;
  }
  elsif ($part =~ /END RSA PRIVATE KEY/) {
      # same as BEGIN
      $key_part .= "-----END RSA PRIVATE KEY-----\n";
      $in_key = 0;
  }
  elsif ($in_key) {
      $key_part .= "$part\n";
  }

You’ll notice that the script will use regular expressions to match both BEGIN RSA PRIVATE KEY and BEGIN PRIVATE KEY, but it will only match END RSA PRIVATE KEY. The lack of a regex against END PRIVATE KEY means that PKCS #8 formatted keys won’t get successfully extracted and thus the import fails due to a missing private key.

Adding the missing statement

The fix is to simply modify /usr/sausalito/sbin/ssl_import.pl by adding another elsif statement catching the END PRIVATE KEY part.

for my $part (@lines) {
...
  elsif ($part =~ /END RSA PRIVATE KEY/) {
     # same as BEGIN
     $key_part .= "-----END RSA PRIVATE KEY-----\n";
     $in_key = 0;
  }
  elsif ($part =~ /END PRIVATE KEY/) {
      # same as BEGIN
      $key_part .= "-----END RSA PRIVATE KEY-----\n";
      $in_key = 0;
  }
...

Subsequent attempts of importing certificates was successful after this minor correction.