I was delighted to see that UAG 3.0 now has support for certificates in PKCS#12 format. Unfortunately trying to deploy a UAG with my PFX file fails with "Error: The specified PFX certificate file is invalid". I can convert the PFX to PEM and successfully deploy the UAG. If I try to then replace the cert using the swagger UI it fails with "Alias provided does not exist in the keystore. Provide one from the list".
The PFX contains the private key, device, intermediate and root certificate. I'm specifying an alias which is the friendly name of the device certificate.
We are aware of an issue with PFX file handling introduced in UAG version 3.0.
There are 3 possible workarounds for this:
1. Use PEM format files for the certs and private key.
2. Specify the long alias name shown in the UAG Admin UI error message by copying and pasting that value into the alias field. (This doesn't always resolve it).
3. Reconstruct the .pfx file (as you noted) with the following openssl commands:
openssl pkcs12 -in original.pfx -out original.pem
openssl pkcs12 -in original.pem -export -out fixed.pfx
This applies to PowerShell deployments and updates via the UAG admin UI.
This appears to be an issue with how Microsoft formats a PKCS#12 certificate. I used openssl to convert the pfx to pem and back to pfx and it's now working.
BenFB - This is interesting. If you still have the original PFX, does it also fail with this error if you don't specify the alias?
markbenson
I just tested again to verify. Trying to deploy with powershell fails with the same error. Trying to replace the cert on the admin UI fails with error "More than one certificate found. Specify an alias from list". I've verified the pfx only contains the device, intermediate and root cert.
BenFB
I had the same issue and I was able to fix it by entering everything (the whole string under the error message) that is listed there. I did that in the Admin page not using Powershell.
Apparently that is the Alias (that needed to be entered) for reference all certificates.
I hope that helps.
VentziP - thanks for posting.
Yes, you can specify the alias (friendly name) with PowerShell or the Admin GUI.
VentziP
markbenson
The problem is I have no idea what the alias is that the UAG Admin UI/powershell script is expecting. It's in a long format that doesn't match the alias that is seen using openssl. Replacing the cert on the Admin UI shows the following error.
More than one certificate found. Specify an alias from list
le-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
Specifying that alias does work but I have no idea how to determine what that alias is ahead of time.
Is it only the .pfx file that fails? PowerShell and the UAG admin GUI also supports .PEM format so it would be worth trying .PEM. To convert .pfx to the two PEM files, run the openssl commands shown here - https://communities.vmware.com/docs/DOC-30835#jive_content_id_Managing_SSL_Server_Certificate_Files
markbenson
If I convert the PFX to PEM it works. However, we would prefer not to use PEM since the private key will be stored without any password protection.
I can get the PFX to work if I first convert it to PEM and then back to PFX using openssl.
We are aware of an issue with PFX file handling introduced in UAG version 3.0.
There are 3 possible workarounds for this:
1. Use PEM format files for the certs and private key.
2. Specify the long alias name shown in the UAG Admin UI error message by copying and pasting that value into the alias field. (This doesn't always resolve it).
3. Reconstruct the .pfx file (as you noted) with the following openssl commands:
openssl pkcs12 -in original.pfx -out original.pem
openssl pkcs12 -in original.pem -export -out fixed.pfx
This applies to PowerShell deployments and updates via the UAG admin UI.
Thank you for the update markbenson. I'm marking this as resolved for now since it sounds like a future update will fix this.
BenFB - Thanks for the information on this. Your detailed contribution here helped us to be able to reproduce the issue. If .pfx/.p12 upload fails in this way, one of the workarounds will be needed until the next UAG version. PEM files supported in all versions remains a fully supported and working option.
markbenson I just wanted to let you know that we just tested with UAG 3.2.1. It correctly accepts and uses the pfx certificate for both the SSL cert and admin SSL cert during the powershell deployment. Thank you for fixing this!
We were previously on 3.0 and had to wait for 3.2.1 to fix the RADIUS bug. I did find a new bug though, what's the correct way to report that?
I'm again seeing issues with the UAG on 3.3.1 fail to deploy a PKCS#12 certificate generated from a Microsoft server. Using openssl I have to convert the PKCS#12 certificate to a PEM and then directly back to a PKCS#12 certificate and then the UAG will deploy with it.
markbenson