Leaf private key discrepancy

[Guddu]

Server 1 - Windows

Server 2 - Linux

I exported all the keys from the Server 1 so that the server 2 has the same exact keys but the leaf private key seems to be different despite importing the same exact key on Server 2 that I exported from Server 1.

Here is the image from Server 1

Machine_1.jpg

Here is the image from Server 2

Machine_2.jpg

As we can see, the root, intermediate and leaf have the same thumbprint but the leaf private key is different.

Will this cause any issues with the KDMs generated for Server 2?

Also, the leaf private key shows up with the same value for both decrypting and signing. Here is the image.

SameLeafPrivateKey.jpg

I am not sure if this is normal. Kindly guide.

[carl]

It looks like something has gone wrong there. Did you export the certificates and key one-by-one (with Export certificate... and the Export button beside the private key thumbprint?)

[Guddu]

Yes. I exported the certificates and the key one by one and saved them to a file each and named the file explicitly so that there is no confusion while importing them back on the destination server.

[IoannisSyrogiannis]

It's a shot in the dark, this one here. Yet, I wonder if the error has to do with the display, and not the real values. Server 2 seems to be on a linux distribution. So, maybe, one of the two versions/systems demonstrates not-appropriate info as values of the "Leaf private key".
With the same field title, one can not rule out a mix up on the variant.
Is there any other way (for instance CLI) to print those two private keys?
If there is, then one could rule out that kind of mix-up.

[Guddu]

Thanks for your response. I would like to think that what you mentioned is indeed the case here.

Its just that the value is not displayed correctly and it is the linux server that demonstrates a not-appropriate info as values of the "Leaf private key".

I am sure there is a way to do this in command line but i have not had time to dig this further yet. However, I can confirm that the KDMs generated from server 2 work just fine so that affirms that it is just the display value that is being presented incorrectly somehow (it is 2.16.99 version installed).

[IoannisSyrogiannis]

Another way, would be to export both files on a folder with names, say, a.pem and b.pem and run an MD5 check on them:

Code: Select all

md5sum a.pem && md5sum b.pem

The MD5 sum of each file will be printed besides the file names. If they are different, it means that the certificates are different. I tried that on an ubuntu distribution, with the latest version (2.18.10).

The catch here, is that if they are the same, it could mean either that they are the same, or an error/bug on export as well, in the same sense that the demonstration of the key is wrong. But that, having two relative bugs related to the same object would be even less likely. It would most probably mean that the certificates are indeed the same and the fact that the KDMs work has to do with the fact that signing and decrypting are two different functions.

[carl]

Hi, thanks for the report. This is a bug in DCP-o-matic - I'll make a new release soon. I suspect things will mostly work, except you may have problems using KDMs on the Linux version as the private key is being incorrectly read, as far as I can see.