Importing Server Certificate without knowing the passphrase in NSX
search cancel

Importing Server Certificate without knowing the passphrase in NSX

book

Article ID: 309098

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

This article provides information on mitigation options on scenarios where the Server Certificate Passphrase is lost or forgotten.

After upgrading to NSX for vSphere 6.2.9, 6.3.x or 6.4.x these symptoms can be observed:

  • Importing existing server certificate fails.
  • Error during the import of server certificate shows similar to:

    Invalid PEM data received for private key.



Environment

VMware NSX for vSphere 6.2.x
VMware NSX for vSphere 6.4.x
VMware NSX for vSphere 6.3.x

Resolution

This is a known issue affecting VMware NSX for vSphere 6.2.x, 6.3.x and 6.4.x.

Currently, there is no resolution.

Workaround:
To work around this issue, consider the following cases:

Case 1: Server Certificate is available, but the passphrase is either lost or forgotten.
  1. Remove the passphrase.

    Note: Always create a backup of the original key first by running this command:

    cp Server_Cert_private.key Server_Cert_private.key .orig
     
  2. Unencrypt the key with openssl with this command:

    openssl rsa -in Server_Cert_private.key -out Server_Cert_private_new.key

    Note: The passphrase is needed for the decryption process.
     
  3. Copy the Server_Cert_private_new.key to the NSX Edge > Certificates.
  4. Create the server certificate with the pem_encoding and Server_Cert_private_new.key from the User Interface (UI) on the new NSX Edge by running these commands:

    Input pem_encoding (original could be chain cert) as certificate content

    Input Server_Cert_private_key as certificate private key
Case 2: Server Certificate is lost but is used in NSX Edges.

In case the Server Certificate is lost but is being used in one of the NSX Edges, the same NSX Manager or any other NSX Manager.
  1. Log in to the NSX Manager as root.
  2. Connect to the database with this command:

    psql -U secureall
     
  3. Find the edge primary id:

    secureall=# select id, edge_id_fk from edge_service_config where feature_name='loadBalancer' and edge_id_fk='edge-2';
    id | edge_id_fk
    -----+------------
    432 | edge-2

     
  4. Find the client_ssl and server_ssl from the existing application profile by edge primary id (432):

    secureall=# select * from edge_load_balancer_application_profile where load_balancer_config_id_fk=432;
      id | application_profile_id | http_redirect_to | insertxforwarded_for | name | cookie_mode | cookie_name | method | expire | ssl_passthrough | template | client_ssl | server_ssl | load_balancer_config_id_fk | server_ssl_enabled
    ------+------------------------+------------------+----------------------+-----------+-------------+-----------------+--------+--------+-----------------+----------+------------+------------+----------------------------+--------------------
    2106 | applicationProfile-1 | | t | test_univ | insert | CasperDP_Cookie | cookie | | f | HTTPS | 2135 | | 432 | f
    (1 row)

     
  5. Find certificate id as used for application profile by client_ssl or server_ssl. If the certificate is for server_ssl, execute same operation (Step 3 - Step 4) with the table edge_load_balancer_server_ssl_client_certificateby load_balancer_server_ssl from server_ssl)

    secureall=# select * from edge_load_balancer_client_ssl_server_certificate where load_balancer_client_ssl=2135;
    load_balancer_client_ssl | server_certificate
    --------------------------+--------------------
                         2135 | certificate-24

                       
  6. Find the certificate content by server_certificate:

    select pem_encoding from domain_object where objectid=’certificate-24’;

    Note: Copy the certificate to Notepad++ and remove column 0 (white space) and last column (has +) by using (alt+shift) keys
     
  7. Find the certificate content and private key by server_certificate:

    select private_key from domain_object where objectid=’certificate-24’;
     
  8. Create the server certificate with pem_encoding (step 5) and private_key (step 6) from the User Interface (UI) on the new NSX Edge:
     
    Input pem_encoding as certificate content

    Input private_key as certificate private key