ECS: ECDSA-Zertifikat kann nicht hochgeladen werden

Der folgende Fehler wird beim Hochladen eines von der Zertifizierungsstelle signierten Daten-/Managementzertifikats in ECS mithilfe des ECS-Zertifikattools angezeigt.

admin@ecsnode01:~/ecs_certificate_tool-1.6> python ecs_certificate_tool.py upload_certificate -c /home/admin/CER/Management/server.pem -p /home/admin/ecs_certificate_tool-1.6/generated_files/CKM0XXXX00120-management_private.key -m
ecs_certificate_tool v1.6
----------------------------------------------------------------------
Upload Certificate
----------------------------------------------------------------------

Authenticating using configured credentials..PASS

Reading certificate from: /home/admin/CER/Management/server.pem..DONE
Reading private key from: /home/admin/ecs_certificate_tool-1.6/generated_files/CKM0XXXX00120-management_private.key..DONE
Backing up existing certificate if needed..
Backed up existing certificate to : /home/admin/ecs_certificate_tool-1.6/certificate_backups/CKM0XXXX00120-management_2023-05-30-07-06-32.crt.backup
Uploading the certificate to ECS..Failed to upload certificate.
response: 999An unexpected error occurred, please check the ECS logs for more information

The provided key and certificate do not match

false headers: {'Date': 'Tue, 30 May 2023 07:06:34 GMT', 'Content-Length': '281', 'Content-Type': 'application/xml', 'Connection': 'keep-alive'}

Ein Öffentlicher Schlüsselalgorithmus und Signaturalgorithmus, die nicht übereinstimmen, können diesen Fehler verursachen.

Überprüfen Sie das signierte Zertifikat. Im folgenden Beispiel lautet der Algorithmus für den öffentlichen Schlüssel RSA und der Signaturalgorithmus ECDSA mit SHA512.

admin@ecsnode01:~/CER/Management> openssl x509 -text -noout -in server.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            51:89:4d:xx:a4:90:a6:a4:xx:c4:5f:xx:6d:43:ef:xx:78:91:f2:cc
    Signature Algorithm: ecdsa-with-SHA512
        Issuer: C=IN, ST=Bagmane, L=Bangalore, O=Dell Technologies, OU=AGI, CN=ecsnode.agi.dell.com.in/emailAddress=ecsnode@dell.com.in
        Validity
            Not Before: May 30 06:29:36 2023 GMT
            Not After : May 28 06:29:36 2028 GMT
        Subject: C=IN, ST=Bagmane, L=Bangalore, O=Dell Technologies, OU=AGI, CN=ecsnode.agi.dell.com.in/emailAddress=ecsnode@dell.com.in
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ce:e4:31:7d:b6:13:43:bc:99:59:ad:8e:99:ae:
                    b8:28:20:85:71:46:xx:a9:d5:17:e4:e7:2e:bb:b7:
                    76:4f:4f:0e:e3:xx:fe:af:2a:d8:68:c2:98:af:de:
                    a7:28:c0:9d:03:37:fb:a3:4a:0c:a1:24:a6:2f:2c:
                    9a:ff:e8:03:d9:47:bf:69:28:6f:3e:xx:81:ea:e5:
                    40:5b:68:fb:9f:c4:b2:67:f9:ea:7e:ea:67:95:91:
                    20:45:70:bb:f5:c9:b8:e0:7e:87:f8:29:13:fa:87:
                    40:8e:b8:2a:b5:f6:1c:c2:e0:a5:54:47:66:bf:54:
                    0e:a5:52:55:a4:2f:2e:48:49:45:ac:d9:08:86:0b:
                    10:42:77:b2:9d:59:77:62:xx:6f:9a:4b:ec:14:81:
                    7c:b4:a1:43:1e:53:f7:71:ae:35:9e:6f:af:d1:95:
                    fe:b4:53:dd:15:ad:e8:01:77:81:7b:1a:fa:16:e8:
                    d6:36:xx:db:e3:70:57:87:ac:6f:e7:b6:e6:25:e0:
                    01:3a:86:f9:28:e1:e2:aa:73:xx:ea:69:be:11:98:
                    3b:a1:c9:d1:c5:98:a6:66:66:91:36:ca:11:9d:40:
                    df:46:5c:4d:27:xx:80:99:f3:82:bf:6c:2e:ae:5a:
                    04:9b:10:3f:8b:04:e5:f6:30:ef:c0:9c:87:6f:82:
                    40:eb
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                keyid:xx:DB:EF:4C:F4:xx:C3:2A:0E:2B:8C:50:xx:85:46:F2:A1:E2:E3:xx

            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Subject Alternative Name:
                DNS:ecsnode1.agi.dell.com.in, DNS:ecsnode2.agi.dell.com.in, DNS:ecsnode3.agi.dell.com.in, DNS:ecsnode4.agi.dell.com.in,DNS:ecsnode5.agi.dell.com.in, IP Address:10.xx.xx.01, IP Address:10.xx.xx.02, IP Address:10.xx.xx.03, IP Address:10.xx.xx.04, IP Address:10.xx.xx.05, IP Address:10.xx.xx.04
    Signature Algorithm: ecdsa-with-SHA512
         30:65:02:xx:00:f9:77:76:6c:24:9b:64:cd:e2:06:3d:70:22:
         d3:85:c5:5b:63:21:54:c5:7d:5c:b5:ce:xx:ad:8c:54:3a:12:
         f7:89:xx:bd:70:c6:69:3a:b0:c6:be:7c:88:3c:51:6e:f0:02:
         30:5e:01:73:9c:b8:16:e6:7e:9b:9d:ab:xx:07:bb:3d:cd:7f:
         94:da:fa:8c:xx:0f:3c:32:a3:93:32:da:63:6b:4c:e6:ff:f1:
         2f:4e:2c:c9:9f:62:22:xx:ff:b7:a7:01:c9

Selbst wenn die CSR mit dem ECDSA-Algorithmus signiert ist, schlägt der Schlüssel beim Hochladen in ECS fehl.

admin@ecsnode1:~/ecs_certificate_tool-1.6> python ecs_certificate_tool.py upload_certificate -c CKMxxxxxxx048-management-ssc.crt -p CKMxxxxxxxx048-management_private.key -m
ecs_certificate_tool v1.6
----------------------------------------------------------------------
Upload Certificate
----------------------------------------------------------------------

Authenticating using configured credentials..PASS

Reading certificate from: CKMxxxxxxx048-management-ssc.crt..DONE
Reading private key from: CKMxxxxxxx048-management_private.key..DONE
Backing up existing certificate if needed..
Backed up existing certificate to : /home/admin/ecs_certificate_tool-1.6/certificate_backups/CKMxxxxxxx048-management_2023-06-17-08-39-27.crt.backup
Uploading the certificate to ECS..Failed to upload certificate.
 response: 1008Invalid parameter

Failed to load the private key.

false headers: {'Date': 'Sat, 17 Jun 2023 08:39:29 GMT', 'Content-Length': '209', 'Content-Type': 'application/xml', 'Connection': 'keep-alive'} Die Zertifikatupload-API erwartet RSA-Schlüssel/-Zertifikat. Daher wird die ECDSA-Methode in ECS nicht unterstützt.