1) Generated self-signed certificate on Centos 7.4 using excellent answers at How to create a self-signed certificate with OpenSSL .
2) When I tell Jenkins container to use them, it stops working, saying that it can't read the .key file.
3) Checked the .key file using openssl, it is valid, but the key displayed by this check is NOT the same as in the .key file
4) Coppied the displayed key to new file, told Jenkins to use it. That works.
Why is the key generated by openssl not working but the one displayed by openssl check is?
Exact steps taken:
cd /etc/pki/tls/certs
vim openssl-config.conf
###openssl-config.conf file I created
[ req ]
default_bits = 2048
default_keyfile = server-key.pem
distinguished_name = subject
req_extensions = req_ext
x509_extensions = x509_ext
string_mask = utf8only
prompt = no
[ subject ]
countryName = countryA
localityName = cityB
organizationName = companyC
commonName = server-nameD
emailAddress = emailE
[ x509_ext ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names
nsComment = "OpenSSL Generated Certificate"
[ req_ext ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names
nsComment = "OpenSSL Generated Certificate"
[ alternate_names ]
DNS.1 = DNS-name-1
DNS.2 = DNS-name-2
DNS.3 = DNS-name-3
DNS.4 = DNS-name-4
DNS.5 = DNS-name-5
DNS.6 = DNS-name-6
DNS.7 = DNS-name-7
openssl req -config ./openssl-config.conf -new -x509 -sha256 -newkey rsa:4096 -nodes -keyout certificate.key.pem -days 365 -out certificate.cert.pem
openssl rsa -in certificate.key.pem -check
vim fixed-key.key (paste in the key displayed by above command)
At first glance, old and new key look almost same, first one starts with
-----BEGIN PRIVATE KEY-----
MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDEzhA5iBOLImBw
While the new, working one starts with
-----BEGIN RSA PRIVATE KEY-----
MIIJKQIBAAKCAgEAxM4QOYgTiyJgcBv5zg2qZjpLINt6fmub3JbIVmFaHKeC8Xvp
As you can see, first one doesn't have RSA on first line, but adding RSA to first and last line to correct place doesn't "fix" the key file. Old file is 3272 bytes long, new file is 3243 bytes long.
What am I doing wrong?
I expected the key to be working or damaged file, but not that I can "fix" it by displaying again through openssl check.
There is nothing wrong. The command you are using to generate the key outputs it in the PKCS#8 format. When you run the openssl rsa -in certificate.cert.pem command, the key is converted to the PKCS#1 format. It's the same key, only in a different format.
Jenkins probably doesn't support PKCS#8, so you have to use the PKCS#1 format.
You can find the difference between PKCS#1 and PKCS#8 here: PKCS#1 and PKCS#8 format for RSA private key
If you want to see the difference by yourself, you can use these commands:
openssl asn1parse -in certificate.cert.pem
and
openssl asn1parse -in fixed-key.key