topic Re: Certificate Bundle in General Topics

Certificate Bundle

asabadin — Tue, 14 Oct 2014 03:52:53 GMT

Hi,

I'm get error on commit: "Warning: cannot find complete cerficate chain for certificate Certificate_Bundle"

I notice there are three bundles in the device certificates, but how do I know which bundle is being used?

How to I test this without breaking it.....

Thanks

Re: Certificate Bundle

bat — Tue, 14 Oct 2014 03:55:04 GMT

asabadin

Usually we use the certificate at the bottom of the chain. Would it be possible for you to attach the snapshot of the certificate bundle ?

The warning can be safely ignored in some cases as it is always not necessary to import the root certificate on the device.

Thanks

Re: Certificate Bundle

tshiv — Tue, 14 Oct 2014 06:35:01 GMT

asabadin,

Please follow the documents below that might be of assistance to you :

How to Install a Chained Certificate Signed by a Public CA

Fix For Error When Importing Chained PEM Format Certificates - Using Text Editor to Re-order

The bundle will be imported successfully if the certificate chain is proper. The sirst document shows you what is the proper certificate chain.

The second speaks about using a text editor to create a proper certificate chain if the certificate bundle signed by a CA is does not have a proper chain to be imported into PA firewall.

Hope this helps.

Thanks

Re: Certificate Bundle

asabadin — Tue, 14 Oct 2014 22:56:52 GMT

Sure, here you go......screendump attached

The bundle in question is the Mercedes_Bundle.

Thanks

Re: Certificate Bundle

tshiv — Wed, 15 Oct 2014 00:19:41 GMT

asabadin

It seems that the Mercedes_Bundle does not have the proper chain. Can you please refer to the documents I suggested in my previous post?

For you reference:

How to Install a Chained Certificate Signed by a Public CA

Fix For Error When Importing Chained PEM Format Certificates - Using Text Editor to Re-order

Thanks

Re: Certificate Bundle

bat — Wed, 15 Oct 2014 00:50:45 GMT

Hi asabadin

By any chance was there any upgrade performed recently on this device because the issuer field is somehow blank in all these certificates which should not happen ideally ?

Thanks

Re: Certificate Bundle

ssharma — Wed, 15 Oct 2014 02:00:38 GMT

Hi Asabadin,

You need to export "Mercedes_Bundle" along with the key from the firewall. You can use PEM format and give it a passphrase. Once exported you should be able to open it in notepad. You will see following format :

-----BEGIN CERTIFICATE-----

MIIC5zCCAc+gAwIBAgIBFD..

-----END CERTIFICATE-----

-----BEGIN RSA PRIVATE KEY-----

Proc-Type: 4,ENCRYPTED

DEK-Info: AES-256-CBC,A35588EF895

bPd92JfJYc407emq4

-----END RSA PRIVATE KEY-----

Then open the root certificate in the notepad as well. You will NOT need private key of the root cert. Then go ahead and add root cert below RSA key.

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

So your order should be

Mercedes_Bundle

Mercedes_Bundle key

Root cert

If you have intermediate certificate in the chain, then

Mercedes_Bundle

Mercedes_Bundle key

Intermediate Cert

Root cert

Once you have all in one text file, save it and import it to the firewall. While importing you will need to provide key file, this will be the same cert that we just created (that means brose same cert file twice). Passphrase would be same that you used to export.

Follow following document to achieve that :

How to Install a Chained Certificate Signed by a Public CA

Once successfully imported, do a commit one more time. Warning should go away. Hope this helps. Thank you.