I am trying to track down a change in private key format that exists
between RHEL 5 and RHEL 6 systems and I believe that pyOpenSSL may be
responsible, though I am not sure.
RHEL 5 uses pyOpenSSL-0.6-2.el5
RHEL 6 uses pyOpenSSL-0.10-2.el6.x86_64
It appears that in RHEL 5 private keys were stored in OpenSSL's default
PEM format, e.g. starting with:
----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
In RHEL 6 this seems to have changed (using the same code to call) and
the format now appears to use PKCS#8 (for the code call it is an
unencrypted key):
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
From OpenSSL's documentation it appears that PKCS#8 is still not the
default, so I am unsure as to why this is the format being output. The
code in question comes from certmaster:
https://fedorahosted.org/certmaster/
The code (identical on RHEL 5 and RHEL 6):
def make_keypair(dest=None):
pkey = crypto.PKey()
pkey.generate_key(crypto.TYPE_RSA, 2048)
if dest:
destfd = os.open(dest, os.O_RDWR|os.O_CREAT, 0600)
os.write(destfd, (crypto.dump_privatekey(crypto.FILETYPE_PEM,
pkey)))
os.close(destfd)
return pkey
Was this formatting change intentional or did it just happen due to
some
change in OpenSSL? Just trying to nail down how this change came about,
because it ultimately lead to the syslog daemon core dumping as it
tried
to load the private key.
