New Question

Unable to Import Key Pair

asked 2017-06-14 15:38:15 +0300

this post is marked as community wiki

This post is a wiki. Anyone with karma >75 is welcome to improve it.

I try to follow instruction on "Windows authentication without passwords in OpenStack" but it seems like it is missing instruction for Import Key Pair via OpenStack Horizon.

After I run script I have got 2 files


I need to export Public key from winrm_client_cert.pem by this OpenSSL command

openssl x509 -pubkey -noout -in winrm_client_cert.pem -out pubkey.pem

Then I try to import this public key to my project:

-----END PUBLIC KEY-----

but I encountered with “Unable to import key pair” when trying to import the Key Pair via the  OpenStack Horizon same as this link

Please can you let me know what did I missing?

edit retag flag offensive close merge delete

3 answers

Sort by » oldest newest most voted

answered 2017-06-14 23:24:55 +0300

avladu gravatar image


You can install OpenSSH server on the Windows image from or from Then, you can use any ssh client to connect with your private key associated to the ssh public key from Nova to your Windows machine and issue batch/PowerShell commands.

Thank you,
Adrian Vladu

edit flag offensive delete link more

answered 2017-06-14 20:39:43 +0300

this post is marked as community wiki

This post is a wiki. Anyone with karma >75 is welcome to improve it.

What about the existing Keypair I created via OpenStack Horizon and downloaded .pem with Private kay, Is there any solution to export Private Key from .pem and import into my local Windows computer certificates?

edit flag offensive delete link more


Hello, after all I know, there is no such transformation possible between the keys, and if it exists, it is not implemented in OpenStack or cloudbase-init. I suggest to you using either userdata scripts, either the x509 key type feature in Nova. Thank you, Adrian Vladu.

avladu gravatar imageavladu ( 2017-06-15 15:51:38 +0300 )edit

answered 2017-06-14 17:20:20 +0300

Claudiu Belu gravatar image


The article you mentioned is passing the x509 certificate to the instance through instance user_data, not as a keypair:

nova boot --flavor 2 --image your_windows_image --key-name key1 vm1 --user_data=your_cert.pem

That being said, since then, support for x509 has been added to nova-api (but not horizon). See the help for the nova keypair-add command:

usage: nova keypair-add [--pub-key <pub-key>] [--key-type <key-type>]
                        [--user <user-id>]

Create a new key pair for use with servers.

Positional arguments:
  <name>                 Name of key.

Optional arguments:
  --pub-key <pub-key>    Path to a public ssh key.
  --key-type <key-type>  Keypair type. Can be ssh or x509. (Supported by API
                         versions '2.2' - '2.latest')
  --user <user-id>       ID of user to whom to add key-pair (Admin only).
                         (Supported by API versions '2.10' - '2.latest')

This has been introduced in nova-api v2.1 (microversion 2.2), so make sure you have that registered as an endpoint:

openstack endpoint list
# you should see something like this:
# | 34291deac24a4a9195c340b70f03830f | RegionOne | nova         | compute        | True    | admin     |              |

If not, you'll have to register a new endpoint for the /v2.1 URL, and then run a command like this:

nova --service-type endpoint_name keypair-add ...

By default, the microversion 2.latest is used, but if not, you will probably want to be explicit:

nova --service-type endpoint_name --os-compute-api-version 2.2 keypair-add ...

Best regards,

Claudiu Belu

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2017-06-14 15:38:15 +0300

Seen: 1,593 times

Last updated: Jun 15 '17