cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Go to solution

Problems adding wildcard SSL certificate to Nutanix

I have been on the phone with GoDaddy support at least 3 times, chatted twice, and I am still beating my head against the wall on this issue.  We have a wildcard certificate provided by GoDaddy.  Importing to IIS and most of our servers seems to work fine.  When importing to our Nutanix Prism service it complains that the CA-Cert contains an SHA1 signature algorithm.  I have been told to rekey and have done twice now with the same result.  Support even went to the trouble of looking at the cert on our public website, which isn't using the wildcard cert (externally managed).

 

Here are the steps I have taken to reproduce:

1. Download the rekeyed certificate.

2. Import the Intermediate Certificates (gd-g2_iis_intermediates.p7b) into Windows Server 2019

3. Complete the CSR Request to import the cert into IIS (.crt file)

4.  Export the certificate with private key into PKCS12 (.pfx) format

5.  Run commands to get files that Nutanix Reads:

   

  • Generate Private Key: openssl pkcs12 -in certificate.pfx -nocerts -nodes -out clientcert.key
  • Generate Public Certificate: openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out clientcert.cer
  • Generate CA Certificate: openssl pkcs12 -in certificate.pfx -cacerts -nokeys -chain -out cacerts.cer

Nutanix fails import complaining "Import Files verification failed. Signature Algorithm in the CA is not
supported. Please select a valid CA and to include in TLS handshake."

 

And when I plug the first certificate in the cacerts.cer chain into the GoDaddy Certificate Decoder I see the issue:

 

GoDaddy CA-CERT.PNG

 

Anyone have any thoughts about how to fix this issue or get GoDaddy to do so??

 

-Tim

1 ACCEPTED SOLUTION

Finally figured this one out myself.  Had to manually cut out the offending cert and then it would import correctly.

View solution in original post

1 REPLY 1

Finally figured this one out myself.  Had to manually cut out the offending cert and then it would import correctly.

View solution in original post