Hi,
I had this issue also when using our internal PKI and openssl, I believe it is down to the private key being encrypted with a passphrase.
You need to have the certificate private key unencrypted.
To remove the private key password follow this procedure:
1.Copy the private key file into your OpenSSL directory (or you can specify the path in the command line).
2.Run this command using OpenSSL:
openssl rsa -in [file1.key] -out [file2.key]
Enter the passphrase and [file2.key] is now the unprotected private key.
The output file: [file2.key] should be unencrypted. To verify this open the file using a text editor (such as MS Notepad) and view the headers.
Encrypted headers look like this:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,
6AC307785DD187EF...
-----END RSA PRIVATE KEY-----
Unencrypted headers look like this:
-----BEGIN RSA PRIVATE KEY-----
6AC307785DD187EF...
-----END RSA PRIVATE KEY-----
I did all of this in bash on the switch (feature bash-shell) so you're keeping the keys on the box.
Once you have the unencrypted key and certificate chain you can then import:-
- nxapi certificate httpscrt certfile bootflash:///cert_chain.crt
- nxapi certificate httpskey keyfile bootflash:///cleartext_key.key
- nxapi certificate enable
Related bug https://quickview.cloudapps.cisco.com/quickview/bug/CSCva75989
Hope this helps.