I'm trying very hard to get away from a set of Kemp Loadmasters that I bought years ago to provide HA access to our website. Part of that process is going to be putting the key and certificate in the new solution (HAproxy with nginx doing SSL). Unfortunately, I've come up against a problem...
The Kemp has built-in certificate management, and it generates CSR's at the touch of a button. It also supported importing of signed certificates, however it does not, so far as I can tell, allow any kind of export of the key itself.
There is a "backup key and certificates" ability, however here's the text from the manual:
LoadMaster supports exporting of ALL certificate information.
This includes private key, host and intermediate certificates.
The export file is designed to be used for import into another
LoadMaster and is encrypted. Export and import can be completed
using the WUI at Certificates -> Backup/Restore Certs. Please
make sure to note the pass phrase used to create the export, it
will be required to complete the import.
You can selectively resort only Virtual Service certificates
including private keys, intermediate certificates or both.
Well, that is great, but as for actually DEALING with the certs, I'm apparently out of luck.
Of course, I'm not going to give up that easily. I ran "file" on the saved cert bundle and got this:
$ file client1.certs.backup
client1.certs.backup: gzip compressed data, from Unix
Well, awesome, I thought. Maybe it's just a .tar.gz, so I unzipped it, and that went fine, but my attempts to untar it didn't work, and running "file" on it now just gives this:
$ file client1.certs.backup
client1.certs.backup: data
So that's where I'm stuck. Anyone have experience with these?
Had the same problem, I took a blind guess that maybe it was encrypted with a symmetric openssl cipher.
Running: openssl enc -d -aes-256-cbc -in CertBackup > CertBackup.tar
And then entering my key store password worked, generating a tar file of all the certs and keys.
Why they would gzip the file after they encrypted it is beyond me...
Try peeking at the file with
od -c client1.certs.backup | less
to see if there is an obvious format that file isn't recognizing due to a prepended header. Another option would be to trystrings client1.certs.backup | less
to view the printable strings in the file.