Unable to Deploy a Standby Cell into VCD Management Cluster
search cancel

Unable to Deploy a Standby Cell into VCD Management Cluster


Article ID: 342528


Updated On:


VMware Cloud Director


  • The purpose of this documentation is to enable deployment of a new standby cell to an existing VCD management cluster

  • Unable to deploy standby cell into VCD management cluster
  • The /opt/vmware/var/log/vcd/configure-vcd.log shows an error similar to the following: "Private key could not be read with the provided password"


VMware Cloud Director for Service Provider 10.x
VMware Cloud Director 10.x


  • This error can arise for a few different reasons
  • This can occur if you have an incompatible private key format (p7b, pkcs7, pfx, and pkcs12 key formats are not supported)
  • This can also happen if the existing private key files for http and consoleproxy are NOT encrypted
  • Lastly, this can occur if the "Initial Root Password" value does not match the password that was used to encrypt the private key files


  • To resolve this issue, verify that you have an encrypted private key by looking at the contents. The private key should start with a header that indicates it is encrypted. For example, the following is commonly seen on encrypted private keys:                 
  • If the private key is not encrypted, use the following command to encrypt it with a known password:
openssl pkcs8 -topk8 -in user.http.unencrypted.key -out user.http.encrypted.key
  • If the private key is indeed encrypted, verify that you have the correct password by attempting to decrypt the private key. The following command will decrypt the private key if the correct password is provided:
openssl rsa -in encrypted_private.key -out decrypted_private.key
  • If the private key is encrypted and you know you have the correct password, it's possible the private key format is wrong. To correct the format, simply combine the two commands details above -- you'll need to decrypt the key, then re-format and re-encrypt the key with following command sequence:
openssl rsa -in encrypted_private.key -out decrypted_private.key
openssl pkcs8 -topk8 -in user.http.unencrypted.key -out user.http.encrypted.key
  • Once you've validated that the key is encrypted with a known password and has the correct format, simply input the private key password as the "Initial Root Password" during cell deployment. The "Initial Root Password" is a required OVF property, cannot be null, and it MUST match the private key password -- therefore the private key must be encrypted.
  • For further details regarding the "Initial Root Password", see the screenshot below:

At this time, the workaround is to verify that the private key files are encrypted with a known password, and the "Initial Root Password" matches this known password during deployment

Additional Information


  • This failure can prevent deployment of standby and application cells into an existing VCD environment