ECS: No se puede cargar el certificado ECDSA

Se observa el siguiente error durante la carga del certificado firmado de CA de administración/datos en ECS mediante la herramienta de certificado de ECS.

admin@ecsnode01:~/ecs_certificate_tool-1.6> python ecs_certificate_tool.py upload_certificate -c /home/admin/CER/Management/server.pem -p /home/admin/ecs_certificate_tool-1.6/generated_files/CKM0XXXX00120-management_private.key -m
ecs_certificate_tool v1.6
----------------------------------------------------------------------
Upload Certificate
----------------------------------------------------------------------

Authenticating using configured credentials..PASS

Reading certificate from: /home/admin/CER/Management/server.pem..DONE
Reading private key from: /home/admin/ecs_certificate_tool-1.6/generated_files/CKM0XXXX00120-management_private.key..DONE
Backing up existing certificate if needed..
Backed up existing certificate to : /home/admin/ecs_certificate_tool-1.6/certificate_backups/CKM0XXXX00120-management_2023-05-30-07-06-32.crt.backup
Uploading the certificate to ECS..Failed to upload certificate.
response: 999An unexpected error occurred, please check the ECS logs for more information

The provided key and certificate do not match

false headers: {'Date': 'Tue, 30 May 2023 07:06:34 GMT', 'Content-Length': '281', 'Content-Type': 'application/xml', 'Connection': 'keep-alive'}

Un algoritmo de clave pública y un algoritmo de firma que no coinciden pueden causar este error.

Verifique el certificado firmado. En el siguiente ejemplo, el algoritmo de clave pública es RSA y el algoritmo de firma es ECDSA con SHA512.

admin@ecsnode01:~/CER/Management> openssl x509 -text -noout -in server.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            51:89:4d:xx:a4:90:a6:a4:xx:c4:5f:xx:6d:43:ef:xx:78:91:f2:cc
    Signature Algorithm: ecdsa-with-SHA512
        Issuer: C=IN, ST=Bagmane, L=Bangalore, O=Dell Technologies, OU=AGI, CN=ecsnode.agi.dell.com.in/emailAddress=ecsnode@dell.com.in
        Validity
            Not Before: May 30 06:29:36 2023 GMT
            Not After : May 28 06:29:36 2028 GMT
        Subject: C=IN, ST=Bagmane, L=Bangalore, O=Dell Technologies, OU=AGI, CN=ecsnode.agi.dell.com.in/emailAddress=ecsnode@dell.com.in
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ce:e4:31:7d:b6:13:43:bc:99:59:ad:8e:99:ae:
                    b8:28:20:85:71:46:xx:a9:d5:17:e4:e7:2e:bb:b7:
                    76:4f:4f:0e:e3:xx:fe:af:2a:d8:68:c2:98:af:de:
                    a7:28:c0:9d:03:37:fb:a3:4a:0c:a1:24:a6:2f:2c:
                    9a:ff:e8:03:d9:47:bf:69:28:6f:3e:xx:81:ea:e5:
                    40:5b:68:fb:9f:c4:b2:67:f9:ea:7e:ea:67:95:91:
                    20:45:70:bb:f5:c9:b8:e0:7e:87:f8:29:13:fa:87:
                    40:8e:b8:2a:b5:f6:1c:c2:e0:a5:54:47:66:bf:54:
                    0e:a5:52:55:a4:2f:2e:48:49:45:ac:d9:08:86:0b:
                    10:42:77:b2:9d:59:77:62:xx:6f:9a:4b:ec:14:81:
                    7c:b4:a1:43:1e:53:f7:71:ae:35:9e:6f:af:d1:95:
                    fe:b4:53:dd:15:ad:e8:01:77:81:7b:1a:fa:16:e8:
                    d6:36:xx:db:e3:70:57:87:ac:6f:e7:b6:e6:25:e0:
                    01:3a:86:f9:28:e1:e2:aa:73:xx:ea:69:be:11:98:
                    3b:a1:c9:d1:c5:98:a6:66:66:91:36:ca:11:9d:40:
                    df:46:5c:4d:27:xx:80:99:f3:82:bf:6c:2e:ae:5a:
                    04:9b:10:3f:8b:04:e5:f6:30:ef:c0:9c:87:6f:82:
                    40:eb
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                keyid:xx:DB:EF:4C:F4:xx:C3:2A:0E:2B:8C:50:xx:85:46:F2:A1:E2:E3:xx

            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Subject Alternative Name:
                DNS:ecsnode1.agi.dell.com.in, DNS:ecsnode2.agi.dell.com.in, DNS:ecsnode3.agi.dell.com.in, DNS:ecsnode4.agi.dell.com.in,DNS:ecsnode5.agi.dell.com.in, IP Address:10.xx.xx.01, IP Address:10.xx.xx.02, IP Address:10.xx.xx.03, IP Address:10.xx.xx.04, IP Address:10.xx.xx.05, IP Address:10.xx.xx.04
    Signature Algorithm: ecdsa-with-SHA512
         30:65:02:xx:00:f9:77:76:6c:24:9b:64:cd:e2:06:3d:70:22:
         d3:85:c5:5b:63:21:54:c5:7d:5c:b5:ce:xx:ad:8c:54:3a:12:
         f7:89:xx:bd:70:c6:69:3a:b0:c6:be:7c:88:3c:51:6e:f0:02:
         30:5e:01:73:9c:b8:16:e6:7e:9b:9d:ab:xx:07:bb:3d:cd:7f:
         94:da:fa:8c:xx:0f:3c:32:a3:93:32:da:63:6b:4c:e6:ff:f1:
         2f:4e:2c:c9:9f:62:22:xx:ff:b7:a7:01:c9

Incluso si la CSR está firmada por una CA con el algoritmo ECDSA, la clave falla mientras se intenta cargar en ECS.

admin@ecsnode1:~/ecs_certificate_tool-1.6> python ecs_certificate_tool.py upload_certificate -c CKMxxxxxxx048-management-ssc.crt -p CKMxxxxxxxx048-management_private.key -m
ecs_certificate_tool v1.6
----------------------------------------------------------------------
Upload Certificate
----------------------------------------------------------------------

Authenticating using configured credentials..PASS

Reading certificate from: CKMxxxxxxx048-management-ssc.crt..DONE
Reading private key from: CKMxxxxxxx048-management_private.key..DONE
Backing up existing certificate if needed..
Backed up existing certificate to : /home/admin/ecs_certificate_tool-1.6/certificate_backups/CKMxxxxxxx048-management_2023-06-17-08-39-27.crt.backup
Uploading the certificate to ECS..Failed to upload certificate.
 response: 1008Invalid parameter

Failed to load the private key.

false headers: {'Date': 'Sat, 17 Jun 2023 08:39:29 GMT', 'Content-Length': '209', 'Content-Type': 'application/xml', 'Connection': 'keep-alive'} La API de carga de certificados espera una clave/certificado de RSA. Por lo tanto, el método ECDSA no es compatible con ECS.