Replacing VMware vSphere Replication's / VMware Live Site Recovery appliance's custom certificate with PKCS#12 fails
search cancel

Replacing VMware vSphere Replication's / VMware Live Site Recovery appliance's custom certificate with PKCS#12 fails

book

Article ID: 367808

calendar_today

Updated On:

Products

VMware Site Recovery Manager 8.x VMware Live Recovery

Issue/Introduction

Symptoms:

  • When attempting to replace VMware Live Site Recovery appliance's certificate with a custom PKCS#12 file, the following error is seen:

    "The certificate is not in the correct format or has a different password"

Environment

  • VMware Site Recovery Manager 8.x

  • VMware Live Site Recovery 9.x

  • VMware vSphere Replication 8.x

  • VMware vSphere Replication 9.x

Cause

  • From the /var/log/vmware/srm/vmware-dr.log (for VLSR) or /opt/vmware/support/logs/dr/drconfig.log (for VR), it can be seen that the processing of the PKCS#12 certificate fails due to the algorithm, RC2-40-CBC, which was used is unsupported by vSphere Replication appliance:
    YYYY-MM-DDTHH:MM:SS.SSSZ error drconfig[01090] [SRM@6876 sub=DrConfigSslCertificateManager opID=########-####-####-####-############-installCertificate] Error while processing pkcs string 'N2Dr6Crypto20Pkcs12ParseExceptionE Crypto Exception: Cannot parse PKCS12
    --> Reasons:
    --> 400614AF717F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

  • The p12 file is created with legacy(unsupported) algorithm RC2-40-CBC.

  • If the above error snippet is not visible in the logs, then either the password used for the p12 file is invalid or the openssl tool used to generate the p12 file is of an older version.

Resolution

To resolve this issue the below can be performed:
  1. Generate the p12 file for the custom PKCS#12 certificate by adding the following options to the openssl command ensure a supported algorithm is used: -keypbe aes-256-cbc -certpbe aes-256-cbc

    Example: openssl pkcs12 -export -in <protected-vr.cer> -inkey <protected-vr.key> -name "<vrprotected>" -passout pass:<password> -out <protected-vr.p12> -keypbe aes-256-cbc -certpbe aes-256-cbc

    Where (replace the below placeholders with the actual files/password/name):
    <protected-vr.cer>  ---> The Signed certificate file
    <protected-vr.key>  ---> The file with the private key
    <vrprotected>            ---> The friendly name for the certificate and private key
    <password>                  ---> The password to import the certificate with.
    <protected-vr.p12>  ---> The output file which will contain the certificate and private key.

  2. Post this attempt to change the VLSR/VR appliance's certificate using the new PKCS#12 certificate.

 

Note: If an older version of openssl is being used, it may give an error stating that the above algorithms are not available. In that case, either download the latest version of openssl or use the openssl tool available on the VLSR / VR appliance.

Additional Information

Powered by Wolken Software