When adding certificate in PKCS12 format, first you have to extract a private key and certificate from PKCS12 file using OpenSSL. To do this, you have to:

1. Copy the PFX or P12 file to the same location as your OpenSSL program (or specify the location in the command line).
2. Type this command to extract pkcs file and save it as .pem: 
   openssl pkcs12 -in PKCS12file -out keys_out.pem
3. After entering the above command you will receive these prompts:

• Enter Import Password: (this is the password that was used when the PKCS12 file was created)
• MAC verified OK
• Enter PEM pass phrase: (this is the private key password)
• Verifying - Enter PEM pass phrase: (confirm the private key password)

4. The private key, certificate, and any chain files (roots) will be parsed and dumped into the "keys_out.pem" file.

When you insert certificate and private key to NSX edge, you get error: "Error - Invalid Passphrase", even though passphrase is correct.



In the NSX Manager vsm.log file, you see entries similar to:
2019-08-29 13:00:17.191 GMT  WARN http-nio-127.0.0.1-7441-exec-9 RemoteInvocationTraceInterceptor:87 - Processing of VsmHttpInvokerServiceExporter remote call resulted in fatal exception: com.vmware.vshield.vsm.truststore.facade.TrustStoreFacade.addCertificates com.vmware.vshield.vsm.truststore.exceptions.InvalidDataException: core-services:2017:Invalid passphrase

This issue is resolved in VMware NSX Data Center for vSphere 6.4.6.

Workaround:

1. Convert private key to RSA:

openssl rsa -in key.pem -out serv.key

2. Use private key from serv.key