The server-key.pem file generated for SSL communication using the OpenSSL commands and caused the error "Input stream does not contain valid private key" was generated in the older format (PKCS1) which is not supported by gRPC Framework currently being used for Client-Manager communication. Converting the server-key to the latest, supported format PKCS8 resolved the issue
After Capital moved away from CORBA to gRPC for Client-Manager communication, manager_cert and client_cert were replaced with certificates in PEM format (newly introduced and placed under CHS_HOME/config/tlscerts).
PEM (Privacy Enhanced Mail) is a commonly used container format that includes cryptographic information. It may contain the public certificate or the entire SSL chain i.e. root certificates, public and private keys. More information about it can be found on the Internet, for example, on https://www.ssl.com/guide/pem-der-crt-and-cer-x-509-encodings-and-conversions/ .
The cause of the issue is that the server-key.pem being used in this case was formatted in the older format (PKCS1, also known as the traditional version). This is identified by the header in the .pem file ("---BEGIN RSA PRIVATE KEY--"). The latest format is PKCS8, which has a slightly different header ("---BEGIN PRIVATE KEY---").
The older PKCS1 format of the server-key.pem is not supported by the gRPC , which only supports the latest PKCS8 format.
Converting the server-key to the latest format resolved the issue, resulting in a successful SSL handshake.
The following command was used for the conversion:
openssl pkcs8 -topk8 -nocrypt -in capital-qa.ad005.onehc.net.key -out capital-qa.ad005.onehc.net_new.key