DigitalOcean

Report this

What is the reason for this report?
Question

unable to load CA private key

Posted on April 3, 2026
VPN
Ubuntu
dc4230bda0b4464dbcf3a811978d84

By dc4230bda0b4464dbcf3a811978d84

140384765912384:error:28078065:UI routines:UI_set_result_ex:result too small:../crypto/ui/ui_lib.c:905:You must type in 4 to 1023 characters
Enter pass phrase for /home/dcnoc/easy-rsa/pki/private/ca.key:
unable to load CA private key
140384765912384:error:2807106B:UI routines:UI_process:processing error:../crypto/ui/ui_lib.c:545:while reading strings
140384765912384:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:610:
140384765912384:error:0906A065:PEM routines:PEM_do_header:bad decrypt:../crypto/pem/pem_lib.c:461:

Easy-RSA error:

signing failed (openssl output above may have more detail)


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
0
Bobby
Bobby
April 10, 2026

Hey!

That error usually means the passphrase for ca.key is wrong, or the key file is corrupted.

The important parts are bad decrypt and unable to load CA private key. Easy-RSA is trying to open the CA private key, but OpenSSL cannot decrypt it with the passphrase you entered.

A few things to check:

  • Make sure you are entering the exact passphrase for /home/dcnoc/easy-rsa/pki/private/ca.key

  • Check that the key file is not truncated or damaged

  • Make sure you are using the correct ca.key, especially if you copied files from another server

  • If this started after moving files between systems, verify file permissions and line endings too

If the passphrase is lost, you usually cannot recover that key. In that case the usual fix is to create a new CA and reissue the certs, unless you have a backup of the original key.

0
alexdo
alexdo
April 11, 2026

Heya, @3c7b2aa335e446b185117de796da05

The key is encrypted and there’s no real way around it, you’d have to rebuild the CA from scratch with init-pki and build-ca, then re-sign everything. Not fun but sometimes unavoidable.

One quick thing you can do to confirm the passphrase itself is the problem before going further - run openssl rsa -in ~/easy-rsa/pki/private/ca.key -check -noout directly. It’ll prompt you and tell you immediately if the password is right or wrong, which at least rules out anything weird happening inside Easy-RSA.

What were you trying to do when this came up, signing a new cert?

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and AI-native businesses

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Start building today

From GPU-powered inference and Kubernetes to managed databases and storage, get everything you need to build, scale, and deploy intelligent applications.

© 2026 DigitalOcean, LLC.Sitemap.
Dark mode is coming soon.