https://live.paloaltonetworks.com/t5/globalprotect-discussions/certificate-chain-requirements-from-external-ca-for-global/m-p/1219746#M6443 <P>As per the image it into firewall along with ROOT-CA cert private key is also imported, but for server/ssl cert only certificate is imported not key, Without private key it wont appear in SSL/TLS profile settings, Reimport the certificate along with private key.&nbsp;&nbsp;</P> Fri, 07 Feb 2025 05:41:54 GMT Naga_Chaturvedi 2025-02-07T05:41:54Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/certificate-chain-requirements-from-external-ca-for-global/m-p/1219678#M6441 <P>Hi Everyone,</P> <P><BR />So I'm having issues configuring my GP as it does not allow me to select the server-cert from the TLS/SSL Service profile Window.</P> <P>The server-cert is not even an option to select from within the window itself and when i try to import it from inside the TLS/SSL Service profile window - it imports but errors out saying the cert is invalid.</P> <P>&nbsp;</P> <P>I noticed that the certificate chain I got from SSL.com that I imported doesn't have a check mark on the key column under the server cert, I only have a checkmark under the key column for the root cert which overwrote the CSR.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GP7337_1-1738863827766.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/65875iFDC5B98438214A44/image-size/medium?v=v2&amp;px=400" role="button" title="GP7337_1-1738863827766.png" alt="GP7337_1-1738863827766.png" /></span></P> <P>&nbsp;</P> <P>So the question I have is - how do I get a key check mark to appear under the Server-Cert inside the cert chain?&nbsp; Do I have the wrong type of SSL cert?&nbsp; What am I missing?</P> <P><BR />Thanks in Advance Everyone!</P> Thu, 06 Feb 2025 17:45:01 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/certificate-chain-requirements-from-external-ca-for-global/m-p/1219678#M6441 GP7337 2025-02-06T17:45:01Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/certificate-chain-requirements-from-external-ca-for-global/m-p/1219746#M6443 <P>As per the image it into firewall along with ROOT-CA cert private key is also imported, but for server/ssl cert only certificate is imported not key, Without private key it wont appear in SSL/TLS profile settings, Reimport the certificate along with private key.&nbsp;&nbsp;</P> Fri, 07 Feb 2025 05:41:54 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/certificate-chain-requirements-from-external-ca-for-global/m-p/1219746#M6443 Naga_Chaturvedi 2025-02-07T05:41:54Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/certificate-chain-requirements-from-external-ca-for-global/m-p/1219801#M6447 <P>Hi <A href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/245004" target="_blank">Naga,</A></P> <P>&nbsp;</P> <P>Thanks for your reply! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>So this is part of the problem I don't have a key for the server cert specifically as the cert I received is part of a certificate bundle.</P> <P>When I try to import the CSR key that was used to generate the external CA's certificate chain it errors out saying the key isn't valid.</P> <P>So is there a specific attribute or a type of cert I need in order to get this to work?&nbsp;</P> <P>&nbsp;</P> <P>Thanks,</P> <P>Gary</P> <P>&nbsp;</P> Fri, 07 Feb 2025 15:11:43 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/certificate-chain-requirements-from-external-ca-for-global/m-p/1219801#M6447 GP7337 2025-02-07T15:11:43Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/certificate-chain-requirements-from-external-ca-for-global/m-p/1221774#M6513 <P>Just a heads up this was fixed - when you are importing the certs into the firewall do not overwrite the CSR until you are importing the server cert portion of the certificate chain.&nbsp; This way the key will be paired properly with the server cert.<BR />Hope this helps someone in the future <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 24 Feb 2025 15:01:54 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/certificate-chain-requirements-from-external-ca-for-global/m-p/1221774#M6513 GP7337 2025-02-24T15:01:54Z