1

I am not sure what options to use when storing a CloudSQL ssl certificate in the Google Cloud key chain, my import job fails. Which are the correct encryption options for a client SSL certificate?

    # Get the private  key
    gcloud sql ssl client-certs create devDb-prv-key ~/client-key.pem --instance=devDb

    # Store the private key in the KeyChain
    gcloud kms import-jobs create postges-prv-key-import \
        --location $GPC_REGION \
        --keyring $KMS_RING \
        --import-method rsa-oaep-3072-sha1-aes-256 \
        --protection-level software

    # Create an empty version first
    gcloud kms keys create private-postgres-ssl-key \
        --location $GPC_REGION  \
        --keyring $KMS_RING \
        --purpose asymmetric-encryption \
        --default-algorithm=rsa-decrypt-oaep-3072-sha256 \
        --skip-initial-version-creation

    # Now you can import the file 
    gcloud kms keys versions import \
        --import-job postges-prv-key-import \
        --location $GPC_REGION \
        --keyring $KMS_RING \
        --key private-postgres-ssl-key \
        --algorithm rsa-decrypt-oaep-3072-sha256 \
        --target-key-file ~/client-key.pem

The result is these errors enter image description here enter image description here

rossco
  • 593
  • 12
  • 22
  • The private key (client-key.pem) is formatted PKCS #1 PEM encoding. Google Cloud KMS requires PKCS #8 DER encoding. You will need to convert the private key file first. I think this command will work: `openssl pkcs8 -topk8 -inform PEM -outform DER -in ~/client-key.pem -out ~/client-key.der -nocrypt` ` – John Hanley Mar 10 '21 at 09:26
  • Afraid that didn't work, same error as screen shot in the question – rossco Mar 11 '21 at 05:46
  • Include the header of the client-key so that I can see the format. – John Hanley Mar 11 '21 at 05:47
  • The header is just ----BEGIN RSA PRIVATE KEY----- – rossco Mar 11 '21 at 05:49
  • Sorry that RSA header is on a brand new key extracted from CloudSQL. After running your suggestd openssql command the header becomes some binary ```0%tnA(VN-co-_7L PL>Et( _uwRGfpk!gtFW&{gS2?P$I2``` – rossco Mar 11 '21 at 05:55
  • The PEM format is what I expected. The converted file is binary. That is what DER is. You can display the contents of a DER file with openssl. For the error, check Stackdriver for HSM messages that indicate why the import failed. You did try the import again with the converted file and not the original? – John Hanley Mar 11 '21 at 06:05
  • Yep the same error was from the new converted file client-key.der and also from the original. The only entries in Logging are ```audit_log, method: "ImportCryptoKeyVersion",``` to indicate the import is starting, then nothing after that – rossco Mar 11 '21 at 06:17
  • Since the question is quite old, did you find any solution for it? – Ruben M Apr 23 '21 at 16:57
  • Nope, still not sure how to do this – rossco Apr 24 '21 at 22:19

2 Answers2

1

I tested this in my environment, and I was able to import the key successfully. Find the attached screenshots.

Algorithm rsa-decrypt-oaep-3072-sha256 is not matching with the length of the actual key to be imported. So replace it with the algorithm rsa-decrypt-oaep-2048-sha256 in command “gcloud kms keys versions import.

Example: gcloud kms keys versions import --import-job job-name --location us-central1 --keyring key-ring-name --key key-name --algorithm rsa-decrypt-oaep-2048-sha256 --target-key-file client-key.der

Use the command below to list key versions and their state.

gcloud kms keys versions list --keyring key-ring-name --location us-central1 --key key-name

Note: Convert the private key to der format and use that file to import the key. To convert the file to der format you can also use the command below.

openssl pkey -in <~/client-key.pem> -outform DER -out <~/client-key.der>

key import failed

key import successful

Chandra Kiran Pasumarti
  • 678
  • 2
  • 11
0

You should check the official documentation to manage your keys in CloudSQL.

Also review if your keys are supported.

Ruben M
  • 89
  • 7