BenFB
Commander
Commander

Deploying UAG 3.x using powershell with PKCS#12 certificate fails

Jump to solution

I was delighted to see that UAG 3.0 now has support for certificates in PKCS#12 format. Unfortunately trying to deploy a UAG with my PFX file fails with "Error: The specified PFX certificate file is invalid". I can convert the PFX to PEM and successfully deploy the UAG. If I try to then replace the cert using the swagger UI it fails with "Alias provided does not exist in the keystore. Provide one from the list".

The PFX contains the private key, device, intermediate and root certificate. I'm specifying an alias which is the friendly name of the device certificate.

Labels (1)
0 Kudos
1 Solution

Accepted Solutions
markbenson
VMware Employee
VMware Employee

We are aware of an issue with PFX file handling introduced in UAG version 3.0.

There are 3 possible workarounds for this:

1. Use PEM format files for the certs and private key.

2. Specify the long alias name shown in the UAG Admin UI error message by copying and pasting that value into the alias field. (This doesn't always resolve it).

3. Reconstruct the .pfx file (as you noted) with the following openssl commands:

openssl pkcs12 -in original.pfx -out original.pem

openssl pkcs12 -in original.pem -export -out fixed.pfx

This applies to PowerShell deployments and updates via the UAG admin UI.

View solution in original post

13 Replies
BenFB
Commander
Commander

This appears to be an issue with how Microsoft formats a PKCS#12 certificate. I used openssl to convert the pfx to pem and back to pfx and it's now working.

0 Kudos
markbenson
VMware Employee
VMware Employee

BenFB - This is interesting. If you still have the original PFX, does it also fail with this error if you don't specify the alias?

0 Kudos
BenFB
Commander
Commander

markbenson

I just tested again to verify. Trying to deploy with powershell fails with the same error. Trying to replace the cert on the admin UI fails with error "More than one certificate found. Specify an alias from list". I've verified the pfx only contains the device, intermediate and root cert.

0 Kudos
VentziP
Enthusiast
Enthusiast

BenFB

I had the same issue and I was able to fix it by entering everything (the whole string under the error message) that is listed there. I did that in the Admin page not using Powershell.

Apparently that is the Alias (that needed to be entered) for reference all certificates.

I hope that helps.

0 Kudos
markbenson
VMware Employee
VMware Employee

VentziP​ - thanks for posting.

Yes, you can specify the alias (friendly name) with PowerShell or the Admin GUI.

0 Kudos
BenFB
Commander
Commander

VentziP

markbenson

The problem is I have no idea what the alias is that the UAG Admin UI/powershell script is expecting. It's in a long format that doesn't match the alias that is seen using openssl. Replacing the cert on the Admin UI shows the following error.

More than one certificate found. Specify an alias from list

le-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

Specifying that alias does work but I have no idea how to determine what that alias is ahead of time.

0 Kudos
markbenson
VMware Employee
VMware Employee

Is it only the .pfx file that fails? PowerShell and the UAG admin GUI also supports .PEM format so it would be worth trying .PEM. To convert .pfx to the two PEM files, run the openssl commands shown here - https://communities.vmware.com/docs/DOC-30835#jive_content_id_Managing_SSL_Server_Certificate_Files

0 Kudos
BenFB
Commander
Commander

markbenson

If I convert the PFX to PEM it works. However, we would prefer not to use PEM since the private key will be stored without any password protection.

I can get the PFX to work if I first convert it to PEM and then back to PFX using openssl.

0 Kudos
markbenson
VMware Employee
VMware Employee

We are aware of an issue with PFX file handling introduced in UAG version 3.0.

There are 3 possible workarounds for this:

1. Use PEM format files for the certs and private key.

2. Specify the long alias name shown in the UAG Admin UI error message by copying and pasting that value into the alias field. (This doesn't always resolve it).

3. Reconstruct the .pfx file (as you noted) with the following openssl commands:

openssl pkcs12 -in original.pfx -out original.pem

openssl pkcs12 -in original.pem -export -out fixed.pfx

This applies to PowerShell deployments and updates via the UAG admin UI.

View solution in original post

BenFB
Commander
Commander

Thank you for the update markbenson​. I'm marking this as resolved for now since it sounds like a future update will fix this.

0 Kudos
markbenson
VMware Employee
VMware Employee

BenFB - Thanks for the information on this. Your detailed contribution here helped us to be able to reproduce the issue. If .pfx/.p12 upload fails in this way, one of the workarounds will be needed until the next UAG version. PEM files supported in all versions remains a fully supported and working option.

0 Kudos
BenFB
Commander
Commander

markbenson​ I just wanted to let you know that we just tested with UAG 3.2.1. It correctly accepts and uses the pfx certificate for both the SSL cert and admin SSL cert during the powershell deployment. Thank you for fixing this!

We were previously on 3.0 and had to wait for 3.2.1 to fix the RADIUS bug. I did find a new bug though, what's the correct way to report that?

0 Kudos
BenFB
Commander
Commander

I'm again seeing issues with the UAG on 3.3.1 fail to deploy a PKCS#12 certificate generated from a Microsoft server. Using openssl I have to convert the PKCS#12 certificate to a PEM and then directly back to a PKCS#12 certificate and then the UAG will deploy with it.

markbenson

0 Kudos