Error: Failed to upload certificate: Invalid key
Hi,
I have TeamCity installed on Windows Server. I have a pfx cert and used the following commands:
openssl pkcs12 -in teamcity.pfx -clcerts -nokeys -out teamcity.crt - to extract the certificate
and
openssl pkcs12 -in teamcity.pfx -nocerts -out teamcity.key
to extract the private key.
However, when I upload this key and cert to TeamCitry, I get:
Please sign in to leave a comment.
Hi Gurdip,
TeamCity requires the private key to be in a specific format and not password-protected. The error “Invalid key” usually occurs when:
1. The private key is password-protected (encrypted).
2. The private key is not in the correct format (TeamCity expects PKCS#8 for RSA/ECC keys).
If your key is password-protected, you can remove the password using OpenSSL
To learn more about OpenSSL command, please refer to https://docs.openssl.org/master/man1/
You also can follow the following document to generate self-sign certificate and key:
https://www.jetbrains.com/help/teamcity/https-server-settings.html#Example%3A+Generate+Required+Files
Best Regards,
Tom
Ok got this sorted. But I still get an error as parts of the site are insecure. See below:
Your connection to this site isn't secure
Don't enter any sensitive information on this site (for example, passwords or credit cards). It could be stolen by attackers.
How could I resolve this?
Ok so this seems fine in Firefox. However, I registered an agent, I noticed when selecting the url it said it could not communicate to the server. The windows service started but in the logs I get these errors:
WARN - buildServer.AGENT.registration - Error while asking server for the communication protocols via URL https://teamcity.gssira.com/app/agents/protocols. Will try later: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (enable debug to see stacktrace)
[2025-09-25 18:24:08,772] WARN - buildServer.AGENT.registration - Error registering on the server via URL https://teamcity.gssira.com. Will continue repeating connection attempts.
But from a browser on the agent server, I can browse to the TeamCity server with no ssl issues? The cert is trusted too.
Hi Gurdip,
This is a common issue when TeamCity agents fail SSL handshakes. Normally, uploaded certificates are automatically delivered to all TeamCity agents.
However, in some cases, automatic distribution may not be required or desired. In such situations, you can manually add the necessary certificates to a specific agent by placing them into the
<TeamCity Agent Home>/conf/trustedCertificatesdirectory (one file per certificate, in textual form and in one of the supported formats).
Please copy the certificates into the
<TeamCity Agent Home>/conf/trustedCertificatesdirectory on the required agent, restart the TeamCity agent, and try again.For more detailed information, please refer to https://www.jetbrains.com/help/teamcity/uploading-ssl-certificates.html#Delivering+certificates+to+TeamCity+agents
Best Regards,
Tom
Hi Tom,
I don't see the the “trustedCertificates” directory. I see:
If the trustedCertificates directory does not exist, You could create it manually and place the certificates inside.
If the issue persists, kindly share the teamcity-agent.log(https://www.jetbrains.com/help/teamcity/viewing-build-agent-logs.html) and teamcity-server.log (https://www.jetbrains.com/help/teamcity/teamcity-server-logs.html) covering the timestamps when the issue occurred.
Best Regards,
Tom
For the certificate, should I copy the pfx file or the key/crt I extracted via OpenSSL?
For the text format, can you be specific on the steps?
Hey Tom, any response to this?
Resolved.