Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: jssi.com
I ran this command:
openssl rsa -outform der -in /etc/letsencrypt/live/c.jssi.com/privkey.pem -out c.jssi.com.server.key
It produced this output:
139866769585472:error:0607907F:digital envelope routines:EVP_PKEY_get0_RSA:expecting an rsa key:../crypto/evp/p_lib.c:469:
root@fringe:/home/fringeadmin# grep '^VERSION' /etc/os-release
My web server is (include version):
Netscaler
The operating system my web server runs on is (include version):
Ubuntu 20.04.6 LTS
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):2.4.0
When I generated the key using the command "sudo certbot certonly --manual, " I chose Update not knowing it created a key with ECC format. My boss does not want to generate another key in RSA. Now if I want to run the same command for ECC instead of RSA, what Openssl options should I use instead of "openssl rsa -outform der -in /etc/letsencrypt/live/c.jssi.com/privkey.pem -out c.jssi.com.server.key?"
OK; I was just trying to answer the OPs Help Topic Title "What openssl command to use with ECC key".
And I read that as not a supplied key but to generate the key.
As far as I know and I am new to maintain the certificate renewal. The letsencrypt certificate needs to be converted in order to be compatible for the netscaler site. Does this make sense?
A certifcate that Netscale can understand. I ran this command and it worked "openssl x509 -outform der -in /etc/letsencrypt/live/c.jssi.com/cert.pem -out c.jssi.com.server.cer" but the other command errored out. Obviously, I used the openssl rsa option which were bad.
I've use that for .pem for the -in and for the -out getting a .pem
Here is an example -out .pem
-----BEGIN PUBLIC KEY-----
MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEMg8UaQ3pfRRelsAK6iHv5pcKl1t5jiYu
uF4AaaLyGGuZhZJPGLVJfTxgDK3kJPdyz8ljhH2yn+lWZYtmiuNyt94zd4M7XEbU
LDk99w6c7/4EwWNEJc9jXHu9tOmHhAyD
-----END PUBLIC KEY-----
No worries. Problem resolved. My boss just got a new key with this command "sudo certbot certonly --manual --email -d c.jssi.com --key-type rsa --rsa-key-size 4096" and avoid the ECC mistake.
Certbot generates certificates in a format commonly known as PEM which is a text based encoding of the binary certificate data. The openssl x509 -outform der command you ran essentially converts it to the native binary format also known as DER. The openssl rsa <blah> command you previously ran only operates on RSA keys, not certs. And there's an equivalent key-specific command for EC keys.
In any case, if you were able to successfully upload that DER version of the EC certificate, it means your device likely does support EC certs in general and you didn't need to switch back to RSA. I'm curious though whether you needed to convert the PEM based RSA cert to DER as well? It would seem odd to me if the device required DER for EC certs, but could use DER or PEM for RSA certs.
