Entrust Datacard

Entrust Certificate Services Support Knowledge Base

Last Modified: 2016-07-05 16:19:22.0

Why do I receive the error "Inconsistent security configuration, java.lang.Exception: Cannot read private key from file"?

Article Number: 45737

Error Log Example:

<000297> java.lang.Exception: Cannot read private key from file /usr/local/bea/weblogic70 0/server/bin/sol8rlecsts_testcertificates_com-key.der. Make sure password specified in environment property weblogic.management.pkpassword is valid. at weblogic.security.service.SSLManager.getServerPrivateKey(SSLManager.java:436) at weblogic.t3.srvr.SSLListenThread.(SSLListenThread.java:153) at weblogic.t3.srvr.SSLListenThread.(SSLListenThread.java:122) at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1548) at weblogic.t3.srvr.T3Srvr.resume(T3Srvr.java:891) at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:300) at weblogic.Server.main(Server.java:32) <090034> <000354>

To Resolve This Issue

  1. If the private key is encrypted, convert the key to PEM format using the java utils der2pem command and modify the header as follows:
    ----------BEGIN ENCRYPTED PRIVATE KEY----------
    ...
    -----------END RSA PRIVATE KEY---------------------

    If the private key is not in PEM format, you receive the following exception:

    java.lang.Exception:Cannot read private key from file
    C:\bea700sp5\user_proects\mydomain\privatkey.der
    Make sure password specified in environnment property weblogic.management.pkpassword is valid.

    If the private key is unencrypted, use the java utils der.2pem command and modify the header as follows:

    ----------BEGIN RSA PRIVATE KEY----------
    ...
    ----------END RSA PRIVATE KEY----------

  2. Check to see if the digital certificate has an extra line at the end of the file. The following should be the last line of the certificate file:
    ----------END CERTIFICATE----------

    Remove any extra lines.

If the existing private key is not password protected, you do not need to specify the weblogic.management.pkpassword argument when starting the server.

When configuring the SSL protocol in the WebLogic Server Administration Console, note that the Key Encrypted attribute is not used to dictate whether or not the private key is password encrypted. The attribute is irrelevant if a password is not used for the private key passphrase.

If you want to import the converted private key and digital certificate into a keytore, use java utils.ImportPrivateKey.

TN6031

Affected Products:

  • Entrust Certificate Services 1 Year Advantage SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services 1 Year SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services 2 Year Advantage SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services 2 Year SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services Cert Admin Advantage Server Certificate 1 Year Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services Cert Admin Advantage Server Certificate 2 Year Version Not Applicable Language Not Applicable Platform Not Applicable