Following on from my earlier post: -
I started seeing the same Bad message exception when adding a certificate into a keyring: -
keyctl padd asymmetric foo @u < ~/ssl/server.crt
add_key: Bad message
even though the required kernel module was loaded: -
lsmod |grep pkcs
pkcs8_key_parser 16384 0
and this appeared to be a valid certificate: -
file ~/ssl/server.crt
/home/hayd/ssl/server.crt: PEM certificate
openssl verify -verbose -CAfile ~/ssl/etcd-ca.crt ~/ssl/server.crt
/home/hayd/ssl/server.crt: OK
so, as per the above, the certificate is stored in Privacy Enhanced Mail (PEM) format: -
PEM or Privacy Enhanced Mail is a Base64 encoded DER certificate. PEM certificates are frequently used for web servers as they can easily be translated into readable data using a simple text editor. Generally when a PEM encoded file is opened in a text editor, it contains very distinct headers and footers.
Source: What is PEM Format?
Jumping to a conclusion that keyctl may require a different format e.g. Distinguished Encoding Rules (DER) instead: -
DER (Distinguished Encoding Rules) is a binary encoding for X.509 certificates and private keys. Unlike PEM, DER-encoded files do not contain plain text statements such as -----BEGIN CERTIFICATE-----. DER files are most commonly seen in Java contexts.
I regenerated the certificate: -
openssl x509 -req -extfile <(printf "subjectAltName=DNS:localhost,DNS:genctl-etcd-cluster.genctl.svc,DNS:genctl-etcd-cluster-client.genctl.svc") -days 365 -in ~/ssl/server.csr -CA ~/ssl/etcd-ca.crt -CAkey ~/ssl/etcd-ca.key -CAcreateserial -out ~/ssl/server.der -outform der
in DER format ( via -outform der ) and verified it: -
file ~/ssl/server.der
/home/hayd/ssl/server.der: data
and then imported it using keyctl : -
export description="Test1"
keyctl padd asymmetric $description @u < ~/ssl/server.der
526852507
and validated thusly: -
keyctl list @u
1 key in keyring:
526852507: --als--v 1000 1000 asymmetric: Test1
Nice!