Jump to content
Welcome to our new Citrix community!

Unable to update or install certificates on ADC VPX cluster


Roy Smith

Recommended Posts

Hi

 

I am trying to update some server  certificates on our ADC cluster. They are all in PFX format and I am going through the same process I've done many times before.

 

Today, I have a batch of 5 certificates to update, which all expire next week. One certificate updated fine with no issues. However the other 4 do not update. When I try to update, I get the message  "Problem in input PKCS12 file". I have tried doing the Import PKCS12. The import appears to work but when I go to install the certificate in the GUI or CLI, I get the same "Problem in input PKCS12 file" message. If I try to install the new certificate with a differeent certkey name, I get the same "Problem in input PKCS12 file" message. If I try to remove the existing certificate, I get the same message. 

 

I have rebooted the cluster but I still get the same message. 

 

We have a test ADC cluster. If I install the certificate on this, it installs with no problems. So, the issue is on our live cluster. Anyone have any ideas what is causing the problem and what I can do about it?

 

We are running v.13.0.83.29

 

Many thanks

Roy

Link to comment
Share on other sites

The Import PKCS12 imports and converts.

I don't know if v13.0.83 has a bug or not on this.  But try cli in case it is just a GUI bug.

What's different between your test and live cluster? Firmware or does test cluster not have any existing cers but prod cluster does?

 

1) You should be able to upload the cert to /nsconfig/ssl as a .pfx without converting.  Either scp to /nsconfig/ssl/ directly or use the SSL > Manage SSL Certs command in right pane to upload.  (See note 3) 

2) Then create a certkey where you set both the cert and private key files to the same .pfx entry.

3) If the pfx is updating an existing certkey (same fqdn), then update the certkey instead of adding new and change the old cert and key files names to the .pfx filename.

 

If it is just a GUI bug, then the add certkey command. Otherwise, confirm key details prior to import (bitlength and key format):

add ssl certkey <certkeyname> -cert <file.pfx> -bundle yes -password

or

add ssl certkey <certkeyname> -cert <file.pfx> -keyname <file.pfx> -password

 

Should also work; again if the cert importing has the same fqdn as an existing cert; update certkey instead.

 

Link to comment
Share on other sites

Hi Rhonda

 

Both live and test clusters are running the same version, although the test cluster does not have the same number of server certificates installed. The certs I am having trouble with were not installed on test initially. I installed one of the certs on the test cluster, just to confirm the cert file  was ok. 

 

On the live cluster, I have tried to do an install from the cli but I just get the message "ERROR: Problem in input PKCS12 file". Curiously, if I omit the -key and -password parameters, I get the same error message. Does this indicate a bug, where the code is not doing proper check or does it actually indicate an problem with the PFX file, even though it works fine on the test cluster?

 

I get the same issue with all 4 certs that I am trying to update. 

 

Thanks
Roy

Link to comment
Share on other sites

To confirm:

1) you have same firmware on test and prod.

2) PFX works on test but not on prod.

3) Do you have the same existing certs on test and prod when you go to try the import on test vs. prod.  Same cert should work the same on both appliances.  If its not working on one, then what is different between the two systems? Maybe retransfer the .pfx to prod as a binary file via your scp utility.

 

Next:

1) You do not need to import and convert; just build certkey from the pfx if later than 11.1; prior to that it would need to be converted via the "import" command.

1a) Which commands are you using and is the cert your using the PFX for a NEW fqdn/NEW cert not already in use or does it overlap/replace an existing certkey?  If the FQDN assigned to the NEW pfx is already in use on another certkey, the new certkey setup will likely fail.  You can use the import and convert as an alternate test, but the .pfx should be able to be used directly.

1b) Are you doing the exact same test on test vs. prod?

 

2) You might want to share your exact command (minus passwords to understand what is or isn't going wrong) and if that same command works on test?  IF it works on test, which command is being executed.

2a) When creating a certkey from a pkcs (.pfx) either:

add ssl certkey <certkeyname> -cert <filename.pfx> -bundle yes -password

OR

add ssl certkey <certkeyname> -cert <filename.pfx> -keyfile <filename.pfx> -password

 

You might need an additional parameter to adjust Key type info if needed. 

Confirm the .pfx transfer over scp to the two systems doesn't have in bit errors (compare checksum or repeat transfer).

 

 

 

 

 

 

 

Link to comment
Share on other sites

To confirm:

1) you have same firmware on test and prod - Yes

2) PFX works on test but not on prod - Yes

3) Do you have the same existing certs on test and prod when you go to try the import on test vs. prod - The certificate was not initially on the test cluster. The installation on test was simply to confirm there was no issue with the PFX file

 

I am following the same process I have many times before when adding and updating a server certificate. Typically, I have used the GUI to do this by going to Traffic Management > SSL > Certificates > Server Certificates. I then select the certificate to update. I enable the check box to "Update the certificate and key", upload the new certificate file (PFX file) and the same files as the Key File Name. When I upload the Key File Name I get a message that the file does not exist, but I assume this is normal, as the file has not been uploaded to the ADC at this point. I then enter the password and select No Domain Check. When I click OK, that is when I get the message "Problem in input PKCS12 file". 

 

I have tried the same process but choosing local, after uploading the file through winscp. I have tried not selecting No Domain Check as well. All options seem to give the same result. 

 

At the CLI I have tried the following to update the certificate

           update ssl certKey uatx-XXXXXX -cert uatXXXXXX.pfx -key uatxXXXXXX.pfx -password XXXXXX -inform PFX -noDomainCheck

AND

           update ssl certKey uatx-XXXXXX -cert /nsconfig/ssl/uatXXXXXX.pfx -key /nsconfig/ssl/uatxXXXXXX.pfx -password XXXXXX -inform PFX -noDomainCheck

 

I have even tried to remove the existing certkey but still get the message "Problem in input PKCS12 file" 

 

I have tried the following command to create a new certKey

           add ssl certKey uatxXXXXXX -cert uatxXXXXXX.pfx -key uatxXXXXXX.pfx -password XXXXXX -inform PFX

Trying any of the options you mention above also returns the same error. 

 

I have tried converting the file and trying to update it with the following 

            update ssl certKey uatx-XXXXXX -cert uatxXXXXXX.cer -key uatxXXXXXX.cer -inform DER -noDomainCheck

 

Just to clarify as well, the new PFX file has a different filename to the PFX already installed and referred to in the existing certKey. I don'tknow if this makes a difference, but I have frequently updated a certificate with a certificate with different filename but for the same domain. 

 

I am suspecting that something is screwed up on the ADC, as surely I should be able to install the PFX as a new certKey but I cannot. No matter what I do, the only error seems to be "Problem in input PKCS12 file". I would have expected different errors for different things, such as entering the wrong password, or am I assuming too much here!

 

 

Link to comment
Share on other sites

  • 8 months later...

Hi,

 

We have recently experienced the same issue.

 

  • Problem: Installing or updating a certificate using either GUI or CLI and with any cert file format (PFX, PEM, CER + Key, CRT + Key) all resulted in the same error "Problem in input PKCS12 file".
  • Setup: Cluster setup that was on version 12.1-60.19.
  • Failed resolution attempts: We tried the following steps to resolve the issue but they all failed:
  1. Tried to install the certificate on another ADC cluster to make sure that the certificates are fine. The certificates were installed successfully on the other ADC cluster.
  2. Tried to rename the certificate file name -> same error
  3. Tried to install it with a new name -> same error
  4. Tried to update the existing certificate -> same error
  5. Tried to convert PFX to PEM -> same error
  6. Tried to use the ADC utility "Import PKCS#12", and the import was successful but installing the certificate then failed with the same error.
  7. Tried to delete the old certificate but it failed with the same error.
  8. Tried the PFX with only an alphanumeric password and then installed it, but it failed with the same error.
  9. Tried to create a new certificate using a key and CSR generated from the ADC and installed the new certificate but it failed with the same error.
  10. Tried to export a PFX certificate without a chain but it failed with the same error.
  • Solution: Create a backup. Copy and download the configuration file ns.conf. Modify the ns.conf file to delete the "add ssl certkey ..." of the corresponding certificate which we couldn't delete from GUI. After modifying the ns.conf file you need to upload it into the ADC again and reboot all the cluster nodes.

 

Regards,

Abbas

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...