'Missing private key data' error while uploading a .pfx certificate to Avi load balancer
search cancel

'Missing private key data' error while uploading a .pfx certificate to Avi load balancer

book

Article ID: 433964

calendar_today

Updated On:

Products

VMware Avi Load Balancer

Issue/Introduction

When attempting to upload a .pfx certificate file to the Avi Load Balancer Controller (version 31.1.1 and above), the upload may fail with error - Missing private key data.

This error occurs even if the private key is present in the .pfx file.

The exact same .pfx file uploads without any issues on older versions of the Avi Controller, such as version 22.1.7.

Example screenshot of the error:

 

Environment

Avi version 31.1.x

Avi version 31.2.x

Cause

  • This issue is the result of a security enhancement. Starting with the 31.1.1 version, the Avi Controller's underlying OpenSSL library was upgraded to version 3.0.x
  • OpenSSL 3.0 enforces strict, modern cryptographic standards and blocks legacy encryption algorithms by default.
  • If your .pfx file was packaged using an outdated encryption cipher, such as RC2-40-CBC, the Avi Controller will refuse to decrypt the legacy wrapper and reject the upload.
  • Older controller versions (like 22.1.7) relied on an older OpenSSL version that still permitted these outdated ciphers.
  • To confirm if your certificate is using a legacy cipher, you can run the following OpenSSL command against your .pfx file on the Avi controller bash:
    • #openssl pkcs12 -info -in your_certificate.pfx -noout
  • Example output line from the above command indicating a legacy cipher error:
    • routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

Resolution

To resolve this issue, you must bypass the outdated encryption wrapper by extracting the certificate contents manually using a local machine, and then import the plain-text components directly into the Avi UI.

Step 1: Extract and Decrypt the Certificate Using a local machine with OpenSSL installed (or the Avi controller Linux bash), extract the contents of the .pfx file into a plain-text .pem file. You must include the -legacy flag to instruct OpenSSL to read the older RC2 cipher.

openssl pkcs12 -in your_certificate.pfx -legacy -nodes -out temp_cert.pem

Step 2: Isolate the Certificate Components Open the newly generated temp_cert.pem file in a standard text editor. Inside, you will see multiple cryptographic blocks. Typically, this consists of:

  • One Private Key block (-----BEGIN PRIVATE KEY-----)

  • Two or more Certificate blocks (-----BEGIN CERTIFICATE-----), representing your Server Certificate and the Intermediate CA(s).

Step 3: Import the Certificate via the Avi UI Log back into the Avi Controller UI to create the certificate manually using the extracted components:

  1. Paste the entire -----BEGIN PRIVATE KEY----- block into the Key field.

  2. Paste the first -----BEGIN CERTIFICATE----- block (which represents your Server Certificate) into the Certificate field.

  3. Save the configuration. 

Future Recommendation: For future certificate renewals, we highly recommend ensuring that your CA or certificate tool generates .pfx files using modern encryption algorithms (such as AES256-SHA256). Modernizing your certificate encryption will allow you to securely upload .pfx files directly via the Avi UI in 31.2.x without needing this manual OpenSSL workaround.

 

Powered by Wolken Software