Solved: How to import a certificate into NSX NLB?

Hocshop · ‎11-06-2017

Hi all,

I have setup 2 external PSCs in 6.5 for a NLB.

I have generated the certificate required (as per various blogs) by using the VMware CA and the NSX has been deployed.

Now we are trying to import the certificate into NSX NLB to be able to assign it to the NLB however we are seeing an error as described below:

"Invalid PEM data received for private key"

What we are doing is opening the lb-chain.crt file to copy the certificate contents to the import page.

Then we open the corresponding lb.key file to copy its contents to the import page but upon clicking Import, we see the above error.

I have been investigating on the internet to see if anyone else has seen this type of error and I found that maybe the key file should be in a different format?

Also I found that maybe we should generate the key using the "des3" parameter to generate a password.

Does anyone know what format the key file should be in?

All the KBs and blogs that I have followed don´t mention anything other than the .key file.

Also the official VMware KB says that you should add your password to the import page however I havent seen any passwords created using the blogs found.

Anyone have any ideas?

Regards

Mark

Hocshop · ‎11-08-2017

Hi all,

I solved this issue.

The problem was that the NSX would not allow the key to be imported because it was in PKCS8 format (which you can validate because when you open the key you see "-----BEGIN PRIVATE KEY...").

The default format that all of the commands in all blogs and the VMware KB is PKCS8.

The required format to be able to import it is the PKCS1 format. When you open a key that is in that format it looks like this: "-----BEGIN RSA PRIVATE KEY..."

After generating a new key file in the required format and copy/pasting the contents of that into the NSX import certificate wizard, the certificate imported without problems.

Another thing to note is that I got confused about the CA certificate and the NLB certificate. As per the blogs you actually concatenate both certificates together so, when you import the NLB certificate, both certificates automatically appear in the console.

Now, to change the format of the key file it is very easy.

Just navigate to the folder in an SSH session where the key file is (/ha or /certs or whatever) and run the following command:

openssl rsa -in original_key_name.key -out new_rsa_key_name.key

e.g. openssl rsa -in lb.key -out rsalb.key

I hope that helps anyone else with this problem.

Regards

Mark

View solution in original post

Hocshop · ‎11-06-2017

Something extra to add:

I also wonder if I am going about this the wrong way.

That is maybe we should actually be importing the VMware CA root certificate instead of the specific PSC NLB certificate?

When I look in the source folder where you are supposed to copy the root.cer file (from on the PSC), you can also see a privatekey.PEM file

So maybe we should import the root.cer file and the corresponding privatekey.PEM file.

Unfortunately I haven´t found this part of the process in the blogs that explain how to configure PSC HA so I don´t know for sure.

However I will try what I just mentioned just in case.

If I have success I will update here.

Regards

Hocshop · ‎11-08-2017

Hi all,

I solved this issue.

The problem was that the NSX would not allow the key to be imported because it was in PKCS8 format (which you can validate because when you open the key you see "-----BEGIN PRIVATE KEY...").

The default format that all of the commands in all blogs and the VMware KB is PKCS8.

The required format to be able to import it is the PKCS1 format. When you open a key that is in that format it looks like this: "-----BEGIN RSA PRIVATE KEY..."

After generating a new key file in the required format and copy/pasting the contents of that into the NSX import certificate wizard, the certificate imported without problems.

Another thing to note is that I got confused about the CA certificate and the NLB certificate. As per the blogs you actually concatenate both certificates together so, when you import the NLB certificate, both certificates automatically appear in the console.

Now, to change the format of the key file it is very easy.

Just navigate to the folder in an SSH session where the key file is (/ha or /certs or whatever) and run the following command:

openssl rsa -in original_key_name.key -out new_rsa_key_name.key

e.g. openssl rsa -in lb.key -out rsalb.key

I hope that helps anyone else with this problem.

Regards

Mark