Import certificate to NSX Edge

Normally when I get a certificate from a customer I often get it in PFX format, but NSX Edge wants it in PEM format. What often is confusing here is that the when converting the PFX the private key gets out in the PKCS8 format but Edge wants the private key in PKCS1 format.

Here is a write-up of the conversion. You will need OpenSSL on the machine that you work on windows, UNIX or macros doesn’t matter.

First, we will need to spit the PFX into .crt and .key with these two commands

openssl pkcs12 -in [yourfile.pfx] -nocerts -out [private.key]
openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [certificate.crt]

Now we need to convert the private.key from PKCS8 to PKCS1 format with this command

openssl rsa -in private_pkcs8.key -out private_pkcs1.key

Now you can go to your NSX Edge and import the certificate with .crt and pricate_pkcs1.key files

Later on, I have found that I need to import the certificate with the intermediate certificate of the signing 3. party. In my case its GoDaddy.
To do this we convert the certificates to .PEM and afterward.

.\openssl pkcs7 -print_certs -in gd-g2_iis_intermediates.p7b -out gd-interm.pem

Then we can convert the cert to pem and put the two certificates in the same file.

openssl x509 -in hk-domain.dk.crt -out hk-domain.dk.pem -outform PEM

Now you can paste this into the load balancer. There must be an easier way to do it, if you find one then please ping me.

Edit: Found a couple of other OpenSSL commands that I from time to time struggle to find.

# Convert unencrypt pem cert:
openssl rsa -in file1.key -out file2.key
# Convert pkcs7 to pem format:
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

Jesper Ramsgaard

Leave a Reply

Your email address will not be published. Required fields are marked *