Dell Automation Platform: Custom Certificate Upload Failure

Summary: This article describes issues seen during an attempted default TLS certificate with a custom certificate via Portal UI.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

Custom certificate for Portal_UI fails with the following error:
Invalid private key format
Failed to validate PEM content for PORTAL_UI
Additional symptoms include:
- Certificate upload rejected by Portal UI
- TLS configuration blocked for Portal UI
- Error occurs when attempting to upload certificate through Portal certificate service
- File size should be between 256 bytes and 10 KB. The certicate.pem file is <actual_size> 

 

Cause

The Portal certificate validation rejects the uploaded certificate if conditions for the Privacy-Enhanced Mail (PEM) file are not met.
 
Common causes include:
- Private key is in Public-Key Cryptography (PKCS#12), DER, or another format instead of PEM
- Private key is password-protected (encrypted)
- Private key does not match the certificate being uploaded
- Private key format headers are incorrect or missing
- Extra whitespace or characters outside the PEM blocks
- Key type is not supported (must be RSA or ECDSA)
- PEM file size exceeds 10KB
- Root CA in certificate-chain changes from previously used custom certificate
-Root or intermediate (leaf) certificate expires in less than 5 years 

Resolution

IMPORTANTAfter applying a custom TLS certificate for Portal, follow LKB000420420 to confirm the new certificate has been updated in orchestrator's trust secret. This ensures the orchestrator APIs trust and can communicate with the portal APIs. 

 

  • PEM file size exceeds 10KB
    • Upload PEM using "As Text" rather than "As File"
  • Check Private Key Format, and ensure that the private key is in PEM format with correct headers:
    • Private key should start with `-----BEGIN PRIVATE KEY-----` or `-----BEGIN RSA PRIVATE KEY-----`
    • Certificate should start with `-----BEGIN CERTIFICATE-----`
    • No extra whitespace or characters outside the PEM blocks
  • Validate Key Type to ensure that the key is RSA or ECDSA (commonly supported types): 
    # Check key type
openssl rsa -in private.key -check -noout
 
 Validate Key-Certificate pair, ensuring the private key matches the certificate being uploaded:  
# Verify certificate matches private key
openssl x509 -in certificate.crt -noout -modulus | openssl md5
openssl rsa -in private.key -noout -modulus | openssl md5
# Both hashes should match

 

  • Remove Password Protection. Private key should not be password-protected:  
    # Remove passphrase from private key
openssl rsa -in private.key -out private.key.nopass

 

  • Convert PKCS#12 to PEM (if needed), If the certificate is in PKCS#12 format:  
    # Convert PKCS#12 to PEM
openssl pkcs12 -in cert.p12 -out private.key -nodes
openssl pkcs12 -in cert.p12 -out certificate.crt -clcerts -nokeys

Affected Products

Dell Automation Platform, NativeEdge Solutions, Dell Automation Platform Components, NativeEdge
Article Properties
Article Number: 000461644
Article Type: Solution
Last Modified: 20 ذو القعدة 1447
Version:  1
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.