topic Re: Warning certificate chain not correctly formed in certificate in General Topics

Warning certificate chain not correctly formed in certificate

Nick.Spender — Mon, 05 Mar 2018 20:09:23 GMT

Hello All

I have imported a cerfificate into the PA as a PFX. I have also import the intermediate certs and root CA. The cert is signed by Go Daddy with 2 intermediate certs and a Root CA.

All imports fine, but when I get up global protect portal and use the imported cert (from the pfx) I get an error which says "Warning certificate chain not correctly formed in certificate"

Thanks everyone 🙂

Re: Warning certificate chain not correctly formed in certificate

gwesson — Mon, 05 Mar 2018 21:46:15 GMT

The root should not be imported (the client won't use it and the firewall already trusts it). Did you check out the Chained Certificate doc?

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Install-a-Chained-Certificate-Signed-by-a-Public-CA/ta-p/55523

A lot of times, cert chains provided by the CA are overly inclusive, and can contain several intermediate CAs that are not used. It's probably best to take the individual certs and combine them as described in that article.

Re: Warning certificate chain not correctly formed in certificate

Nick.Spender — Mon, 05 Mar 2018 21:55:50 GMT

@gwesson

Thanks for you reply, ok so i dont need the Root CA. How about the intermediate certs? I have read the article you provided. But I have the cert as a pfx with the private keys. shall I work on the bottom part of the article....."workaround"?

Thanks 🙂

Re: Warning certificate chain not correctly formed in certificate

gwesson — Mon, 05 Mar 2018 22:08:27 GMT

No, you just need to split the PFX file into multiple certs. Usually a public CA will provide you a plain text version in addition to the PFX, but if they don't you may need to convert it with OpenSSL

openssl pkcs12 -in OriginalCert.pfx -out NewTargetCert.pem -nodes

Once you have it converted to PEM, open it in a plain text editor, split the files into individual certs saving each as their own file (.cer). You can then open each of those files to confirm where it belongs in the chain and can then follow the article I wrote from the first reply.

Cheers!

Re: Warning certificate chain not correctly formed in certificate

Nick.Spender — Mon, 05 Mar 2018 22:12:29 GMT

@gwesson

Stupid question, Cant I export as a PEM and split it that way. As your article says at thr bottom?

Re: Warning certificate chain not correctly formed in certificate

gwesson — Mon, 05 Mar 2018 22:13:43 GMT

@Nick.Spender You have to import it correctly before you can export it in a way that's helpful. If you export it now, with the chain incorrectly formed, I don't know what the reprocussions will be.

Re: Warning certificate chain not correctly formed in certificate

Nick.Spender — Mon, 05 Mar 2018 22:16:22 GMT

@gwesson

I just exported as a PEM from the firewall and the order was completeley wrong. So yes you are correct. I reordered them correctly. Removed the certs from the PA and reimported. But it only shows 1 cert once it finished importing?

Re: Warning certificate chain not correctly formed in certificate

gwesson — Tue, 06 Mar 2018 01:28:42 GMT

Seems like the chained cert is somehow wrong, my guess would be that it's not the correct intermediate(s).

If you can just open your final cert in the list (the Wildcard cert) into a Windows system or else pull it up in a browser that displays the cert with the chain, you can export each of those and be totally sure you've got the right set of certs.

If you need additional help getting it to work, I may not be able to continue to reply and you might want to open a support case.

Best of luck!

Re: Warning certificate chain not correctly formed in certificate

Nick.Spender — Tue, 06 Mar 2018 11:37:15 GMT

@gwesson

Hello, I seemed to have fixxed, using a different method. So I have the cert import into my windows machine with the private keys. I then exported the certs as a *.p7b and selected include all certs in the chain. Sure enought in winodws the order is wrong. wheather im reading into that or not is a different quiestion.

I then imported my pfx cert back into the PA. Then exported it as a PEM with the private keys. I copied the private keys into a text file and saved it. i then remove all certs aparted from my domain cert.

I then removed all certs from the PA, I thern imported the cert back into the PA as a PEM and seletected the "key File".

Then imported each of the Intermediate CAs (2) as .cer

No errors when commiting, globalprotect portal webpage shows secure and green in the url bar. Global Protect connects fine with no errors.

Dose the above sound OK to you?

Re: Warning certificate chain not correctly formed in certificate

SysOps_PB — Wed, 26 Jun 2019 08:51:34 GMT

@Nick.Spender thanks. That worked..

Re: Warning certificate chain not correctly formed in certificate

GSekhon — Mon, 22 Nov 2021 20:46:50 GMT

we tried this but it not works..

Re: Warning certificate chain not correctly formed in certificate

GSekhon — Mon, 22 Nov 2021 20:52:16 GMT

can we certs generate from External authority..?

local machine..?

Re: Warning certificate chain not correctly formed in certificate

Tician — Mon, 12 Sep 2022 10:42:04 GMT

Hi,

just spent two days struggling to make this work in several ways, until I make things this way and it works finally! Thanks for this post

Re: Warning certificate chain not correctly formed in certificate

Nick.Spender — Tue, 13 Sep 2022 20:04:49 GMT

If you need a hand let me know

Re: Warning certificate chain not correctly formed in certificate

Nick.Spender — Tue, 13 Sep 2022 20:05:41 GMT

@Tician Glad it worked for you 🙂

Re: Warning certificate chain not correctly formed in certificate

Jacek_Loszewski — Tue, 20 Feb 2024 09:21:32 GMT

This is a bit of an old thread, but I think I have a simpler solution.

1. I have a pfx (in it are intermediate certificates, the certificate proper and the private key) secured by a password.

2. I import the pfx into the certificate store (in Windows) and view what certificates are in the certificate chain and more specifically what intermediate center certificates are in the chain. That is, Certificate > Certificate path

3. I export each of them (these intermediate center certificates and Root CA as is) to a separate file: View Certificate > Details > copy to file and saves it as X.509 Certificate encrypted with Base64 algorithm (CER).

4. the same way I export the actual certificate (right click) on the certificate > All Tasks > Export (I check the option Do not export private key) and save it as above (X.509, Base64, CER)

5. from the pfx file I extract the private key (unencrypted)
openssl pkcs12 -in cert.pfx -out file.withkey.pem
openssl rsa -in file.withkey.pem -out file.key

6. so it now has a set of files
- intermediate center certificates (*.cer)
- the file of the actual certificate (*.cer)
- private key file (.key)

7. I enter the PA and import all certificates starting from the first center (i.e. rootCA)

8. importing the right certificate I check Import Private Key, point to the key file and give passphrase

9. commit - no errors or warnings

10. enable certificate to SSL/TLS Service > commit - no errors and warnings

Exporting certs can be done from PA itself but I used windows storage.

Re: Warning certificate chain not correctly formed in certificate

gabe — Thu, 07 Aug 2025 08:29:37 GMT

can the poorly imported certificate be the reason for this error message?

SSL connect select error: 0(Resource temporarily unavailable), time left: 0
P26083-T33415 08/07/2025 00:31:33:272 Debug( 468): SSL connect failed
P26083-T33415 08/07/2025 00:31:33:272 Debug( 66): detailed SSL error info:
P26083-T33415 08/07/2025 00:31:33:272 Debug( 956): connect() failed
P26083-T33415 08/07/2025 00:31:33:272 Debug(3388): ConnectSSL: Failed to connect to 'gw2.vpn.ourdomain.com:443'. Disconnect ssl.

...and can the poorly imported certificate chain be the reason the connection fails?

Re: Warning certificate chain not correctly formed in certificate

kiwi — Thu, 07 Aug 2025 13:56:19 GMT

Hi @gabe ,

The error you're seeing indicates a problem with the TCP connection, not the SSL certificate.

An SSL certificate error, such as an expired certificate or an untrusted certificate chain, would happen after a successful TCP connection has been made and the SSL handshake has begun.

The connect failted error leads to believe the TCP connection to the GW is failing. The client never successfully establishes a session with the server.

My guess is the network connection is unreachable or the gateway is unresponsive resulting in the error message you're seeing.

Initial things I'd verify are that the GP client must be able to resolve the FQDN of the portal and gateway ; traffic to the GP portal or gateway isn't blocked by a firewall ; traffic is routed properly. Are you able to browse to the GP portal is a great initial test to try?

Kind regards,

-Kim

Re: Warning certificate chain not correctly formed in certificate

gabe — Thu, 07 Aug 2025 18:49:34 GMT

hi kiwi thanks for your input i have the problem's own topic if you wouldn't mind taking a look at it. i don't want to advertise the link here maybe it's not allowed/nice. please let me know if i can send it in private or if you can find it under my profile.

thanks