Comments - Certificate Creation with OpenSSL

3 years, 5 months ago Jean Weisbuch

Creating the private certificate with openssl req -newkey [...] does create the file in the PKCS#8 format (at least since Debian Wheezy) which is not recognised by YaSSL.

MariaDB 10.1 shipped with Debian Stretch is linked with YaSSL and thus cannot load the certificate (leading to a SSL error: Unable to get private key from '/path/to/key.pem' error and SSL not working) but MariaDB 10.1 from the repository is linked with OpenSSL and does load the certificate without any issue.

The solution is to convert the certificate from PKCS#8 to PKCS#1 using such a command : openssl rsa -in pkcs8.key -out pkcs1.key

Or to use a MariaDB binary that is linked to OpenSSL and not YaSSL.

More infos on

ps: PKCS#1 files starts with -----BEGIN RSA PRIVATE KEY----- while PKCS#8 starts with -----BEGIN PRIVATE KEY-----

Content reproduced on this site is the property of its respective owners, and this content is not reviewed in advance by MariaDB. The views, information and opinions expressed by this content do not necessarily represent those of MariaDB or any other party.