topic Re: Error: Certificate failed to load: invalid certificate chain in General Topics

Error: Certificate failed to load: invalid certificate chain

cale — Mon, 13 Apr 2015 09:33:45 GMT

Hi there,

I generated a CSR with PAN-OS 6.1.3 and submitted it to our Microsoft AD CA with subordinate CA template. After uploading the certificate it shows up under the root CA certificate of our domain. But when commiting the changes I get an "Error: Certificate failed to load: invalid certificate chain" error message. What have I done wrong?

The CSR was generated with one main CN as FQDN of both firewalls (leinf-pa-3020-rz.domain.de, it's a HA cluster) and their own management IP adresses and FQDNs for usage as the WebUI certificate.

This is how it looks in the WebUI:

I tried adding the root cert data into the subordinate cert, and when I export it again it is still in there. So why is it complaining about the chain?

Kind Regards

Christian

Re: Error: Certificate failed to load: invalid certificate chain

jdelio — Mon, 13 Apr 2015 16:16:54 GMT

The error about the Certificate chain is just that.

In order for the chain to be complete, it must have the Root-level CA public cert, the Intermediate-level CA public cert (if any) then the Subordinate CA cert, then the Subordinate CA can be the Certificate Authority and create the certs.

Now, if you do not know the full chain, take the Subordinate CA, and then double click on the .cer or .crt file , then click on the Certificate Chain (last tab) and then click on each one up the chain: and you can save off each one and then import it into the Certificates section to ensure the full path is present.

Does that make any sense? If not, please let me know, and I will try to provide screenshots.

Re: Error: Certificate failed to load: invalid certificate chain

cale — Tue, 14 Apr 2015 05:03:37 GMT

The complete chain is shown in the Web GUI screenshot. There is only the Root CA from our AD and then the Sub CA certificate for the devices, no intermediates. Viewing the cer file confirms this.

Re: Error: Certificate failed to load: invalid certificate chain

rsingh — Tue, 14 Apr 2015 15:49:31 GMT

Here is what you can try,

+++ Separate all the certificates in the chain as jdelio suggested.

+++ Open the FW certificate in a notepad. You will find the complete chain there. Just keep the FW certificate in there and remove the other Intermediate and Root certificates. Save it. Make sure not to have an additional, extra spaces.

You can check the certificates using the following link,

https://www.sslshopper.com/certificate-decoder.html

+++ Once done, import the FW certificate first, then intermediate, then root.

Let me know if this works.

Regards,

Rahul

Re: Error: Certificate failed to load: invalid certificate chain

cale — Wed, 15 Apr 2015 06:06:38 GMT

Thanks for all your help, this is what finally did the job:

Remove all certificate functions to another (I had the original selfsigned still on the box) and commit.

Export the new certificates with private keys.

Delete the whole chain of the new certificate and commit.

Add the SubCA and then go up the chain and add the other ones and commit

Add the needed functions back to the SubCA and remove them from the (temporary) selfsigned and commit.

Just replacing the originals seemed to be what didn't work. A complete removal and readding did the trick

Regards,

Christian