[Bug 942856] Re: NetworkManager does not support AES-encrypted private keys for WPA 802.1x authentication

Bug Watch Updater 942856 at bugs.launchpad.net
Fri Sep 27 05:55:30 UTC 2019

Launchpad has imported 2 comments from the remote bug at

If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at

On 2012-02-28T19:55:16+00:00 Walter Mundt wrote:

NetworkManager does not appear to support private keys encrypted with
AES. At the very least, it will not validate such a key in nm-util when
setting up a WPA 802.1x TLS wifi connection.

To test via nm-applet:

1. Start with a working (cleartext or DES-3) private key/cert for a network. Set up a connection and verify that everything works.
2. Re-encrypt the key with AES-256 with this command: "openssl rsa -in working-key.pem -out aes-key.pem -aes256" (the output should have a line starting with "DEK-Info: AES-256-CBC,")
3. Delete the settings for the test network and attempt to reconnect using the new key. Even with the correct passphrase, the "Connect" button will remain disabled; debugging output will show that nm-util is failing to validate the private key.

Workaround for anyone running into this issue: Re-encrypt your key with
DES-3.  The incantation is "openssl rsa -in aes-key.pem -out working-
key.pem -des3".

Reply at: https://bugs.launchpad.net/ubuntu/+source/network-

On 2012-02-29T19:04:00+00:00 Walter Mundt wrote:

Specific version information, as requested on the Ubuntu bug at
https://bugs.launchpad.net/network-manager/+bug/942856 and added here in
case it's useful upstream:

Ubuntu Release: 11.10
network-manager version:
network-manager-gnome version:

FWIW, based on my cursory examination of the code, the issue does not
appear to be introduced by any Ubuntu packages.

This may be classifiable as "enhancement" or "wishlist" depending on
whether feature parity with openssl is part of the "current feature set"
of the application.  Based on my searches today, there's no common
standard for specifying anything more elaborate than a DES cipher in the
DEK-Info header of a PEM file.

Still, it would be nice to at least have some kind of error message
about the key format being unsupported instead of this case just getting
treated as if the key passphrase is always incorrect by the UI.

Reply at: https://bugs.launchpad.net/ubuntu/+source/network-

** Changed in: network-manager
       Status: Unknown => Confirmed

** Changed in: network-manager
   Importance: Unknown => Wishlist

You received this bug notification because you are a member of Network-
manager, which is subscribed to NetworkManager.

  NetworkManager does not support AES-encrypted private keys for WPA
  802.1x authentication

To manage notifications about this bug go to:

More information about the ubuntu-desktop mailing list