[f-nsp] problems binding new key and cert on ADX

[Jethro R Binks]

Hi,

I'm banging my head against a wall here and looking for some help.

One virtual service is having a cert change due to expiry, and I've got 
the .pfx as exported from Windows.  I have extracted the key and cert from 
this.  I have the intermediate and root certs.

I can upload all, the key to the keyfile, and the host cert then the 
intermediate to the cert file using scp.  Done this some number of times 
in the past routinely.

I can use the show commands to view the cert chain, and see the host's 
cert plus the intermediate.

However what I can't do is the actual bind of the cert into the ssl 
profile:

SSH at sender(config)#ssl profile tcnemo-toclients
SSH at sender(config-ssl-profile-tcnemo-toclients)#keypair-file tcnemo_2015.key
SSH at sender(config-ssl-profile-tcnemo-toclients)#certificate-file tcnemo_chain_2015.crt
SSH at sender(config-ssl-profile-tcnemo-toclients)#Error key and certificate mismatch 
Please delete the key and re-add the right key and certificate
SSL profile : tcnemo-toclients
Certificate file : \usb0\certstor\tcnemo_chain_2015.crt.cert
Key file : \usb0\certstor\tcnemo_2015.key.key

The only help I can get from Dr Google is the suggestion from the 
documentation that this key does not match the certificate.  But both came 
from the exported PFX, and I've verified them manually in various ways.  
Now totally stuck as to what to do next (and time is ticking for the 
previous cert expiry :).

Anyone any ideas?

ADX 12.5.01g

Jethro.

.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .
Jethro R Binks, Network Manager,
Information Services Directorate, University Of Strathclyde, Glasgow, UK

The University of Strathclyde is a charitable body, registered in
Scotland, number SC015263.