You may have errors when you import wrapped keys.

These steps to troubleshoot are for Linux or MacOS. You must use OpenSSL  to follow the steps below. Make sure your version is OpenSSL 1.0.1s or higher, and not LibreSSL.

To check your OpenSSL version use the command openssl version from your terminal.

To troubleshoot problems with wrapped keys:

  1. Create a bash script that contains these commands:
    #!/bin/bash
    # Convert exported asymmetric key to PKCS1 format
    # The command below changes the PUBLIC KEY label
    # to display as RSA PUBLIC KEY.
    sed -e "s/BEGIN PUBLIC/BEGIN RSA PUBLIC/g" -e "s/END PUBLIC/END RSA PUBLIC/g" $1 > $1.pkcs8
    # The command below adds the header to the encrypted key.
    openssl rsa -RSAPublicKey_in -in $1.pkcs8.pem -pubout > $1.pkcs1.pem
  2. Save the script to the same directory where you stored your BYOK asymmetric key.
  3. Make the script executable.
    chmod +x <script name>
    Where <script name> is the name of the bash script.
  4. Open a terminal and run the script against the asymmetric key:
    <script file> <asymmetric key file>
    For example, if your script is named convertPublicKey.sh and the key file is named myPublicKey.pem, the command is:
    sh convertPublicKey.sh myPublicKey.pem

    This generates two pem files. One has a pkcs8.pem suffix and one has a pkcs1.pem suffix. For example, if you convert myPublicKey.pem, the script outputs myPublicKey.pem.pkcs8.pem and myPublicKey.pem.pkcs1.pem.
  5. Import the file with the pkcs1.pem suffix into your HSM.