[stork-users] Certificate management in Stork and Kea

Buclin, Bertrand Bertrand.Buclin at intl.att.com
Wed Oct 27 16:00:11 UTC 2021


Hi,

Glad to see with KEA 2.0 and Stork 0.2x that we can now use TLS to secure the transactions between the Stork server and the Agent, and between the Agent and KEA.

I'm trying to use server certificates signed by my organization certification authority instead of the self-signed certificates that Stork is proposing. To that effect, I've declared the trust-anchor, cert-file and key-file attributes in the KEA Control Agent pointing respectively to the Certification Authority certificate PEM file, the server certificate (and the certificate chain to the CA), and the server certificate private key (with the certificate chain to the certificate authority in the same PEM file).

I'm trying to load the same certificates in Stork using the stork-tool, and no issue for the CA cert and the SRV Cert, but I can't get to load the server private key. The stork-tool call fails saying "main.go:333       problem parsing the server key: parsing private key: x509: failed to parse private key (use ParsePKCS1PrivateKey instead for this key format)". I know the private key file is the right one for the server certificate (checked them with the usual openssl x509/rsa -modulus | md5 routine), and all three CA certificate, server certificate and key files work OK with kea-shell...

The PEM file for the private key starts with "-----BEGIN RSA PRIVATE KEY-----". When I export the private key that Stork self-generated, it says "BEGIN PRIVATE KEY". I've tried converting the private key to PKCS8 format, but then getting other errors and stork-tool crashing with "panic: interface conversion: interface {} is *rsa.PrivateKey, not *ecdsa.PrivateKey".

Anyone succeeded in specifying keys across Stork and KEA successfully?



Bertrand Buclin
Director, Access Technology Management
Global Connectivity Management

AT&T Global Network Services (Switzerland) GmbH
m +41 79 333 00 20  |  bbuclin at att.com<mailto:bbuclin at att.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/stork-users/attachments/20211027/25681ece/attachment.htm>


More information about the Stork-users mailing list