NetScaler ADC: Invalid Private Key Error

Just had a nice issue with a NetScaler ADC 12.0 implementation at one of our customers … again, it’s certificate related.

We received a new SSL server certificate, which was signed by official CA, as private key and so the CSR were created outside of NetScaler – not that unusual, btw. So we needed to import both, the certificate and its corresponding private key. Some strange behaviour occured then.

First, we tried just to “Install” a new SSL server certificate using the NetScaler GUI, which failed with the often seen “Invalid private key, or PEM pass phrase required for this private key” error. Sigh. As I’m used to this error (nearly!), I checked the private key and certificate files. Well, looks good so far. There was an extra newline at the file’s end, which doesn’t matter.

Next, we did an upload of the files using the Web-GUI. The certificate file worked, but the private key does not. The upload was successful, but the private key wasn’t listed in the NetScaler’s private keys view … hum.

OK, let’s do it by command line, which SHOULD work anyway. Long story short, it didn’t. Same error here: “Invalid private key, or PEM pass phrase required for this private key”. In the meantime I checked, if private key file and certificate file DO match (no problem here) and if there’s really no passphrase given while private key generation. Nope, again. So it should work.

Finally, I started my local openssl shell, read the private key file and wrote the very same key back to a new file, and … yeah! The import of the newly created private key file succeeded. Lession learned: there must have been some white space or similar in the private key file we got which I can’t see in my editor (PSPad and Notepad2 in this case).

For your information: here’s the according openssl command I used:
openssl rsa -in -out

Leave a Reply