Importing an NSX certificate into the SDDC Manager fails with "Certificate does not have a supported algorithm or key-size"
search cancel

Importing an NSX certificate into the SDDC Manager fails with "Certificate does not have a supported algorithm or key-size"

book

Article ID: 376531

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • The certificate can be imported into NSX directly via NSX Manager User Interface.
  • The certificate shows as valid in the NSX Manager UI.
  • Attempting to apply the certificate fails with the following error.

curl -k -u 'admin:[PASSWORD]' -X POST 'https://[NSX MANAGER]/api/v1/trust-management/certificates/[CERT UUID]?action=apply_certificate&service_type=API&node_id=[NODE_UUID]'
{
  "httpStatus" : "BAD_REQUEST",
  "error_code" : 2078,
  "module_name" : "internal-framework",
  "error_message" : "Some error has occurred."
}

  • NSX Manager logs show the following error.

/var/log/syslog
[TIMESTAMP] [NSX MANAGER] NSX SYSTEM [nsx@6876 comp="nsx-manager" errorCode="MP2078" level="ERROR" reqId="[REQ UUID]" subcomp="manager" username="admin"] Invalid Certificate - ERROR: Certificate CN=[CN],OU=[OU],O=[O],C=[C] does not have a supported algorithm or key-size

  • Problematic certificate has a key length of 4095 bits.

openssl x509 -in cert.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            [SERIAL NO.]
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = [C], O = [O], OU = [OU], organizationIdentifier = [OI], CN = [CN]
        Validity
            Not Before: [TIMESTAMP]
            Not After : [TIMESTAMP]
        Subject: C = [C], O = [O], OU = [OU], organizationIdentifier = [OI], CN = [CN]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4095 bit) <<<<<<<

 

Environment

VMware NSX-T Data Center 3.2.x
VMware NSX 4.x

Resolution

A key length of 4095 is supported from VMware NSX 4.1.2.4.

Workaround:
Use a supported key length. The following API call returns the supported key lengths.

curl -k -u admin "https://[NSX MANAGER]/api/v1/trust-management"
{
  "supported_algorithms" : [ {
    "name" : "RSA",
    "key_size" : [ 2048, 3072, 4096 ]
  }, {
    "name" : "EC",
    "key_size" : [ 256, 384, 521 ]
  } ]