Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.
Sign In Create an Account Dell Financial Services Premier Sign In Partner Program Sign In
Contact Us

Your Dell.com Carts

Article Number: 000216060

ECS: Unable to upload ECDSA certificate

Summary: A user trying to upload the certificate to ECS receives ERROR: "Failed to load the private key" OR "The provided key and certificate do not match" errors.

This article may have been automatically translated. If you have any feedback regarding its quality, please let us know using the form at the bottom of this page.

Article Content

Symptoms

The following error is seen while uploading data/management CA signed certificate in ECS using ECS certificate tool. 
admin@ecsnode01:~/ecs_certificate_tool-1.6> python ecs_certificate_tool.py upload_certificate -c /home/admin/CER/Management/server.pem -p /home/admin/ecs_certificate_tool-1.6/generated_files/CKM0XXXX00120-management_private.key -m
ecs_certificate_tool v1.6
----------------------------------------------------------------------
Upload Certificate
----------------------------------------------------------------------

Authenticating using configured credentials..PASS

Reading certificate from: /home/admin/CER/Management/server.pem..DONE
Reading private key from: /home/admin/ecs_certificate_tool-1.6/generated_files/CKM0XXXX00120-management_private.key..DONE
Backing up existing certificate if needed..
Backed up existing certificate to : /home/admin/ecs_certificate_tool-1.6/certificate_backups/CKM0XXXX00120-management_2023-05-30-07-06-32.crt.backup
Uploading the certificate to ECS..Failed to upload certificate.
response: <?xml version="1.0" encoding="UTF-8" standalone="yes"?><error><code>999</code><description>An unexpected error occurred, please check the ECS logs for more information</description><details>The provided key and certificate do not match</details><retryable>false</retryable></error>
headers: {'Date': 'Tue, 30 May 2023 07:06:34 GMT', 'Content-Length': '281', 'Content-Type': 'application/xml', 'Connection': 'keep-alive'}

Cause

A Public Key algorithm and Signature algorithm that do not match can cause this error.

Resolution

Verify the signed certificate. In the following example, the Public Key algorithm is RSA and the Signature algorithm is ECDSA with SHA512. 
admin@ecsnode01:~/CER/Management> openssl x509 -text -noout -in server.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            51:89:4d:xx:a4:90:a6:a4:xx:c4:5f:xx:6d:43:ef:xx:78:91:f2:cc
    Signature Algorithm: ecdsa-with-SHA512
        Issuer: C=IN, ST=Bagmane, L=Bangalore, O=Dell Technologies, OU=AGI, CN=ecsnode.agi.dell.com.in/emailAddress=ecsnode@dell.com.in
        Validity
            Not Before: May 30 06:29:36 2023 GMT
            Not After : May 28 06:29:36 2028 GMT
        Subject: C=IN, ST=Bagmane, L=Bangalore, O=Dell Technologies, OU=AGI, CN=ecsnode.agi.dell.com.in/emailAddress=ecsnode@dell.com.in
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ce:e4:31:7d:b6:13:43:bc:99:59:ad:8e:99:ae:
                    b8:28:20:85:71:46:xx:a9:d5:17:e4:e7:2e:bb:b7:
                    76:4f:4f:0e:e3:xx:fe:af:2a:d8:68:c2:98:af:de:
                    a7:28:c0:9d:03:37:fb:a3:4a:0c:a1:24:a6:2f:2c:
                    9a:ff:e8:03:d9:47:bf:69:28:6f:3e:xx:81:ea:e5:
                    40:5b:68:fb:9f:c4:b2:67:f9:ea:7e:ea:67:95:91:
                    20:45:70:bb:f5:c9:b8:e0:7e:87:f8:29:13:fa:87:
                    40:8e:b8:2a:b5:f6:1c:c2:e0:a5:54:47:66:bf:54:
                    0e:a5:52:55:a4:2f:2e:48:49:45:ac:d9:08:86:0b:
                    10:42:77:b2:9d:59:77:62:xx:6f:9a:4b:ec:14:81:
                    7c:b4:a1:43:1e:53:f7:71:ae:35:9e:6f:af:d1:95:
                    fe:b4:53:dd:15:ad:e8:01:77:81:7b:1a:fa:16:e8:
                    d6:36:xx:db:e3:70:57:87:ac:6f:e7:b6:e6:25:e0:
                    01:3a:86:f9:28:e1:e2:aa:73:xx:ea:69:be:11:98:
                    3b:a1:c9:d1:c5:98:a6:66:66:91:36:ca:11:9d:40:
                    df:46:5c:4d:27:xx:80:99:f3:82:bf:6c:2e:ae:5a:
                    04:9b:10:3f:8b:04:e5:f6:30:ef:c0:9c:87:6f:82:
                    40:eb
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                keyid:xx:DB:EF:4C:F4:xx:C3:2A:0E:2B:8C:50:xx:85:46:F2:A1:E2:E3:xx

            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Subject Alternative Name:
                DNS:ecsnode1.agi.dell.com.in, DNS:ecsnode2.agi.dell.com.in, DNS:ecsnode3.agi.dell.com.in, DNS:ecsnode4.agi.dell.com.in,DNS:ecsnode5.agi.dell.com.in, IP Address:10.xx.xx.01, IP Address:10.xx.xx.02, IP Address:10.xx.xx.03, IP Address:10.xx.xx.04, IP Address:10.xx.xx.05, IP Address:10.xx.xx.04
    Signature Algorithm: ecdsa-with-SHA512
         30:65:02:xx:00:f9:77:76:6c:24:9b:64:cd:e2:06:3d:70:22:
         d3:85:c5:5b:63:21:54:c5:7d:5c:b5:ce:xx:ad:8c:54:3a:12:
         f7:89:xx:bd:70:c6:69:3a:b0:c6:be:7c:88:3c:51:6e:f0:02:
         30:5e:01:73:9c:b8:16:e6:7e:9b:9d:ab:xx:07:bb:3d:cd:7f:
         94:da:fa:8c:xx:0f:3c:32:a3:93:32:da:63:6b:4c:e6:ff:f1:
         2f:4e:2c:c9:9f:62:22:xx:ff:b7:a7:01:c9
Even if the CSR is CA signed with the ECDSA algorithm, Key fails while trying to upload to ECS. 
admin@ecsnode1:~/ecs_certificate_tool-1.6> python ecs_certificate_tool.py upload_certificate -c CKMxxxxxxx048-management-ssc.crt -p CKMxxxxxxxx048-management_private.key -m
ecs_certificate_tool v1.6
----------------------------------------------------------------------
Upload Certificate
----------------------------------------------------------------------

Authenticating using configured credentials..PASS

Reading certificate from: CKMxxxxxxx048-management-ssc.crt..DONE
Reading private key from: CKMxxxxxxx048-management_private.key..DONE
Backing up existing certificate if needed..
Backed up existing certificate to : /home/admin/ecs_certificate_tool-1.6/certificate_backups/CKMxxxxxxx048-management_2023-06-17-08-39-27.crt.backup
Uploading the certificate to ECS..Failed to upload certificate.
 response: <?xml version="1.0" encoding="UTF-8" standalone="yes"?><error><code>1008</code><description>Invalid parameter</description><details>Failed to load the private key.</details><retryable>false</retryable></error>
 headers: {'Date': 'Sat, 17 Jun 2023 08:39:29 GMT', 'Content-Length': '209', 'Content-Type': 'application/xml', 'Connection': 'keep-alive'}
Certificate upload API is expecting RSA key/certificate. Hence, the ECDSA method is not supported in ECS.

Article Properties

Affected Product

ECS, Elastic Cloud Storage

Last Published Date

02 Oct 2023

Version

2

Article Type

Solution

Back to Top