- To resolve this issue, verify that you have an encrypted private key by looking at the contents. The private key should start with a header that indicates it is encrypted. For example, the following is commonly seen on encrypted private keys:
-----BEGIN ENCRYPTED PRIVATE KEY-----
- If the private key is not encrypted, use the following command to encrypt it with a known password:
openssl pkcs8 -topk8 -in user.http.unencrypted.key -out user.http.encrypted.key
- If the private key is indeed encrypted, verify that you have the correct password by attempting to decrypt the private key. The following command will decrypt the private key if the correct password is provided:
openssl rsa -in encrypted_private.key -out decrypted_private.key
- If the private key is encrypted and you know you have the correct password, it's possible the private key format is wrong. To correct the format, simply combine the two commands details above -- you'll need to decrypt the key, then re-format and re-encrypt the key with following command sequence:
openssl rsa -in encrypted_private.key -out decrypted_private.key
openssl pkcs8 -topk8 -in user.http.unencrypted.key -out user.http.encrypted.key
- Once you've validated that the key is encrypted with a known password and has the correct format, simply input the private key password as the "Initial Root Password" during cell deployment. The "Initial Root Password" is a required OVF property, cannot be null, and it MUST match the private key password -- therefore the private key must be encrypted.
- For further details regarding the "Initial Root Password", see the screenshot below:
Workaround:
At this time, the workaround is to verify that the private key files are encrypted with a known password, and the "Initial Root Password" matches this known password during deployment