https://live.paloaltonetworks.com/t5/general-topics/certificate-failed-to-load/m-p/40869#M30038 <HTML><HEAD></HEAD><BODY><P>We are actually seeing similar behaviour on Pan 6.1.2 on our PA-3020's. We try to sync from the primary to the secondary and it fails with that same error.&nbsp; It has caused us no end of problems because effectively, the only way for us to get the sync to work is remove the global protect configuration which makes use of the certificates and then delete the certificates.&nbsp; I'm wondering if anyone else has seen this and has an idea of why it may be happening?</P></BODY></HTML> Mon, 02 Mar 2015 02:01:30 GMT Kevin.lane 2015-03-02T02:01:30Z https://live.paloaltonetworks.com/t5/general-topics/certificate-failed-to-load/m-p/40867#M30036 <HTML><HEAD></HEAD><BODY><P>Hi all,</P><P></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">We have two PA-4060 in active/passive mode with PAN-OS 4.1.12 (I know, old..).</SPAN></P><P></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">Yesterday, after rebooting passive device auto commit failed with:</SPAN></P><P><EM>Error: Certificate 'XYZ' failed to load: failed to parse key</EM></P><P>and device went to not-ready state.</P><P></P><P>After deleting problematic certificate and with commit force device become functional again.</P><P></P><P>We then tried synchronize configurations manually but HA-Sync fail with the same error</P><P><EM>Error: Certificate 'XYZ' failed to load: failed to parse key</EM></P><P></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">The last time the device was rebooted in March 2014 without problems and with the now problematic certificate on it.</SPAN></P><P></P><P>Does anyone have any solution why this error occurred?</P><P></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">Tnx and regards, </SPAN></P><P>Vesna.</P></BODY></HTML> Mon, 16 Feb 2015 10:41:29 GMT https://live.paloaltonetworks.com/t5/general-topics/certificate-failed-to-load/m-p/40867#M30036 vesna.djukic 2015-02-16T10:41:29Z https://live.paloaltonetworks.com/t5/general-topics/certificate-failed-to-load/m-p/40868#M30037 <HTML><HEAD></HEAD><BODY><P>Hi Vesna,</P><P>1. upgrade</P><P>2. It looks like your certificate isn't supported: What's the key size and signature algorithm of the certificate?</P><P>What is the certificate used for on your PA?</P><P>-&gt; try to use a certificate that has the same options as the ones you get when creating a certificate on the PA itself.</P><P></P><P>Regards,</P><P></P><P>Tijl</P></BODY></HTML> Thu, 19 Feb 2015 14:12:55 GMT https://live.paloaltonetworks.com/t5/general-topics/certificate-failed-to-load/m-p/40868#M30037 Tijl 2015-02-19T14:12:55Z https://live.paloaltonetworks.com/t5/general-topics/certificate-failed-to-load/m-p/40869#M30038 <HTML><HEAD></HEAD><BODY><P>We are actually seeing similar behaviour on Pan 6.1.2 on our PA-3020's. We try to sync from the primary to the secondary and it fails with that same error.&nbsp; It has caused us no end of problems because effectively, the only way for us to get the sync to work is remove the global protect configuration which makes use of the certificates and then delete the certificates.&nbsp; I'm wondering if anyone else has seen this and has an idea of why it may be happening?</P></BODY></HTML> Mon, 02 Mar 2015 02:01:30 GMT https://live.paloaltonetworks.com/t5/general-topics/certificate-failed-to-load/m-p/40869#M30038 Kevin.lane 2015-03-02T02:01:30Z https://live.paloaltonetworks.com/t5/general-topics/certificate-failed-to-load/m-p/40870#M30039 <HTML><HEAD></HEAD><BODY><P>Tijl, thank you for answer. Yes, I agree that upgrade is a must.</P><P></P><P>According to the information I received from the user, signature algorithm is SHA1RSA and public key size is 2048.</P><P></P><P>It's funny that this error didn't not occur last time device was rebooted and it is mystery why did it happened this time.</P></BODY></HTML> Mon, 02 Mar 2015 07:41:31 GMT https://live.paloaltonetworks.com/t5/general-topics/certificate-failed-to-load/m-p/40870#M30039 vesna.djukic 2015-03-02T07:41:31Z https://live.paloaltonetworks.com/t5/general-topics/certificate-failed-to-load/m-p/40871#M30040 <HTML><HEAD></HEAD><BODY><P>smells like a bug <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P></BODY></HTML> Wed, 11 Mar 2015 12:55:52 GMT https://live.paloaltonetworks.com/t5/general-topics/certificate-failed-to-load/m-p/40871#M30040 Tijl 2015-03-11T12:55:52Z