Jump to content
Welcome to our new Citrix community!

Invalid Private Key Error and pass phrase - 11.1


Murilo Rocha

Recommended Posts

Hi,

Does anyone know why the heck I can never install a certificate with a pass phrase?

Every time I need to install a cert I have this problem. On the GUI it doesn't bring the option to add the password when I am installing and the only solution is to remove the pass from the key.

 

The cert and key hash matches. I tried to export to base64 x509 encoded as per https://discussions.citrix.com/topic/391372-invalid-private-key-or-pem-pass-phrase-required-for-this-private-key/

 

If I am not wrong I didn't have this problem with ADC version 10.5

 

Quite annoying. 

 

Thanks

Link to comment
Share on other sites

Even though 11.1 is quite outdated (I would sugggest moving to 12.1), there is no known issue with 11.1. Once upon a time I ran a 11.1, and did not see any issues. Did you try from command line?

add ssl certKey <name of certificate in ADC> -cert <certfile.cer> -key <keyfile.key>

Always worked for me.

 

cheers

 

Johannes Norz

CTA, CCI and CCE-N from Austria

Link to comment
Share on other sites

Yes, working on  a project to upgrade to 13.0 but on hold due to corona virus. 

In the past when I had similar issues it was usually due to the cert format but since 11.1 I have problems all the time.

 

Yes, tried via cli and no luck, got the same message. Will so some more testing on lab. Must be something simple I am  missing

 

Thanks

Link to comment
Share on other sites

Made some progress. It has to do with the file formats.

Sometime I get a key with name.key so what I found so far is:

 

1)If the key name is name.key I don't get a prompt for the password via GUI. It needs to be name-key.pem

2)Even renaming the key extension name to .pem I still don't get the prompt via IE. I get the prompt for the password if I use Firefox

3) I still get the Invalid private key, or PEM pass phrase required for this private key either using Firefox or via CLI

 

> add ssl certKey certname -cert /nsconfig/ssl/certname.pem -key /nsconfig/ssl/keyname.pem -password xxxxx
ERROR: Invalid private key, or PEM pass phrase required for this private key

 

I've checked the password and also that key and cert hash match

Link to comment
Share on other sites

Finally was able to get it going.

Only renaming the key file is not enough so I had to convert and after that it worked

 

openssl rsa -in keyname2020.pem -check -out newkeyname.pem

 

The strange thing is that before I converted I opened up the key file on notepad and started with -----BEGIN RSA PRIVATE KEY----- so must be really the fact that it was using the .key extension and for some reason only renaming is not enough.

 

 

Link to comment
Share on other sites

Just wanted to say: It's not a matter of names, it has to be related to the key format you receive. Citrix ADC does not care about file extensions, it's now windows!

 

The certificate has to look like that:

-----BEGIN CERTIFICATE-----
certificate data here ...
-----END CERTIFICATE-----

 

Every key has to look like that:

-----BEGIN ENCRYPTED PRIVATE KEY-----
key data here...
-----END ENCRYPTED PRIVATE KEY-----

 

Certificate and key may be stored in the same file. As far as I see, format of line breaks (CR/LF (Windows) or LF(UNIX)) is of no importance.

Link to comment
Share on other sites

Thanks Johannes. I am obsessed with this so checked the "old files" I had with .key file and still doesn't work.

Cert and key files look as you say

 

Cert

-----BEGIN CERTIFICATE-----
MIIGLzCCBRegAwIBAgIQAnowdj9g6n35oCJo8vY7yzANBgkqhkiG9w0BAQsFADBg
-----END CERTIFICATE-----

 

Key

-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIbHsLBgMTg8kCAggA

-----END ENCRYPTED PRIVATE KEY-----

 

So I compared with the files that worked and it seems that if it's a key protected by a password it must be rsa

-----BEGIN RSA PRIVATE KEY---

-----END RSA PRIVATE KEY-----

 

Thanks

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...