Been doing some battles with RANCID sending emails every hour about updated keys.
Like this:
set comments "This is the default CA certificate the SSL Inspection will use when generating new server certificates."
set private-key "-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIAWonopcoOy8CAggA
MBQGCCqGSIb3DQMHBAg1fEbM20Ga/ASCBMgqWOvL0dpFbbhMclMtBWkZkMnxq9tD
vo9Rb1AKI2bR6GKrmn9/lQ6Svb1Sp84e6ZDbJKCzsVq0rrbz+cwvlzUjfbUPeF/P
...
BDaVJM+Jq/8P3Q+B/CAaHvl4+3VX9aAygrfZPgsb9RnBjvo1PdSowKwx7bNCTdFL
qGM=
-----END ENCRYPTED PRIVATE KEY-----"
So I have seen this via my lab (every hour..) and at the day job so I finally decided to dig into it. It did help that I finally read the first line: BEGIN ENCRYPTED PRIVATE KEY is not the same as BEGIN RSA PRIVATE KEY and once I read that then making a patch was quick and easy.
I also updated fnrancid to pick up the hardware of the unit being queried in case hardware changes out later in life. There is also a comment included in case you want to have reported revisions as the different engines update their databases. I have it turned off by default.
You can download the patch here.