topic Re: Can't define Forward Trust certificate in Next-Generation Firewall Discussions

Can't define Forward Trust certificate

CHARRIER — Thu, 27 Jul 2023 10:20:58 GMT

Hello,

We have a new firewall, PA-460 model. The panos version is 10.2.4-h2.

I have a problem for define the Forward Trust certificate for the decryption.

The certificate i want to declare for Forward trust is a root certificate of our domain.

I import the certificate with is private key in pkcs12.

When i check the case "Forward Trust Certificate" or "Trusted Root CA", i can validate the commit but when i push the commit, i have this error :

Partial changes to commit: changes to configuration by administrators: admin
Changes to shared configuration
Error: Certificate failed to load: invalid certificate chain
Error preparing global objects
failed to handle CONFIG_UPDATE_START
(Module: device)
client device phase 1 failure
Commit failed

i have a vm for test, and the problem is the same, i tried to import the certificate in pem, and update to panos 10.2.4-h3 but same error.

Someone have an idea to fix this problem ?

I can't active decryption for now.

Re: Can't define Forward Trust certificate

ozheng — Thu, 27 Jul 2023 11:20:51 GMT

Hello Charrier,

Have you tried to reimport the certificate in PEM format?

You need to play with openssl to convert it.

Olivier

Re: Can't define Forward Trust certificate

CHARRIER — Thu, 27 Jul 2023 11:26:25 GMT

Yes i tried, i convert the certificate pkcs12 in 2 pem file, one with certificate, and one with key and reimport it. but same error.

Re: Can't define Forward Trust certificate

ozheng — Thu, 27 Jul 2023 11:29:51 GMT

open the certificate with a notepad, you may have to only keep the actual cert.

Re: Can't define Forward Trust certificate

CHARRIER — Thu, 27 Jul 2023 13:10:46 GMT

Thanks for the advice, I open the pem file in notepad, and i saw 2 certificate in this file.

When i import this file in palo, his show me only 1 certificate but 2 was in the file, that's why i have the invalid certification chain.

When i export the root ca since the certification authority, this export 2 root ca certificate.

I split the file in 2 pem file, make the same things for the keys.

Then i see the difference when i upload in the palo. 2 differents expires date.

Then i can declare one Forward Trust Certificate and active decryption.

Thanks

Re: Can't define Forward Trust certificate

ozheng — Thu, 27 Jul 2023 16:27:05 GMT

Hello Charrier,

Good your issue is resolved.

If you have some time, I invite you to read/listen the PANCast Episode 9 about SSL Decryption.

Maybe it can help you to complete your setup too.

Olivier