Warning certificate chain not correctly formed in certificate

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Warning certificate chain not correctly formed in certificate

L2 Linker

Hello All

 

I have imported a cerfificate into the PA as a PFX. I have also import the intermediate certs and root CA. The cert is signed by Go Daddy with 2 intermediate certs and a Root CA.

 

All imports fine, but when I get up global protect portal and use the imported cert (from the pfx) I get an error which says "Warning certificate chain not correctly formed in certificate"

 

Thanks everyone 🙂

 

live.png

2 accepted solutions

Accepted Solutions

@gwesson

 

Hello, I seemed to have fixxed, using a different method. So I have the cert import into my windows machine with the private keys. I then exported the certs as a *.p7b and selected include all certs in the chain. Sure enought in winodws the order is wrong. wheather im reading into that or not is a different quiestion. 

 

I then imported my pfx cert back into the PA. Then exported it as a PEM with the private keys. I copied the private keys into a text file and saved it. i then remove all certs aparted from my domain cert. 

 

I then removed all certs from the PA, I thern imported the cert back into the PA as a PEM and seletected the "key File".

 

Then imported each of the Intermediate CAs (2) as .cer

 

No errors when commiting, globalprotect portal webpage shows secure and green in the url bar. Global Protect connects fine with no errors.

 

 

Dose the above sound OK to you?

View solution in original post

15 REPLIES 15

L7 Applicator

The root should not be imported (the client won't use it and the firewall already trusts it). Did you check out the Chained Certificate doc?

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Install-a-Chained-Certificate-Signed...

 

A lot of times, cert chains provided by the CA are overly inclusive, and can contain several intermediate CAs that are not used. It's probably best to take the individual certs and combine them as described in that article.

@gwesson

 

Thanks for you reply, ok so i dont need the Root CA. How about the intermediate certs? I have read the article you provided. But I have the cert as a pfx with the private keys. shall I work on the bottom part of the article....."workaround"?

 

 

Thanks 🙂

No, you just need to split the PFX file into multiple certs. Usually a public CA will provide you a plain text version in addition to the PFX, but if they don't you may need to convert it with OpenSSL

 

openssl pkcs12 -in OriginalCert.pfx -out NewTargetCert.pem -nodes

Once you have it converted to PEM, open it in a plain text editor, split the files into individual certs saving each as their own file (.cer). You can then open each of those files to confirm where it belongs in the chain and can then follow the article I wrote from the first reply.

 

Cheers! 

@gwesson

 

Stupid question, Cant I export as a PEM and split it that way. As your article says at thr bottom?

@Nick.Spender You have to import it correctly before you can export it in a way that's helpful. If you export it now, with the chain incorrectly formed, I don't know what the reprocussions will be. 

@gwesson

 

I just exported as a PEM from the firewall and the order was completeley wrong. So yes you are correct. I reordered them correctly. Removed the certs from the PA and reimported. But it only shows 1 cert once it finished importing?

Seems like the chained cert is somehow wrong, my guess would be that it's not the correct intermediate(s). 

If you can just open your final cert in the list (the Wildcard cert) into a Windows system or else pull it up in a browser that displays the cert with the chain, you can export each of those and be totally sure you've got the right set of certs.

 

If you need additional help getting it to work, I may not be able to continue to reply and you might want to open a support case.

 

Best of luck!

@gwesson

 

Hello, I seemed to have fixxed, using a different method. So I have the cert import into my windows machine with the private keys. I then exported the certs as a *.p7b and selected include all certs in the chain. Sure enought in winodws the order is wrong. wheather im reading into that or not is a different quiestion. 

 

I then imported my pfx cert back into the PA. Then exported it as a PEM with the private keys. I copied the private keys into a text file and saved it. i then remove all certs aparted from my domain cert. 

 

I then removed all certs from the PA, I thern imported the cert back into the PA as a PEM and seletected the "key File".

 

Then imported each of the Intermediate CAs (2) as .cer

 

No errors when commiting, globalprotect portal webpage shows secure and green in the url bar. Global Protect connects fine with no errors.

 

 

Dose the above sound OK to you?

@Nick.Spender thanks. That worked.. 

we tried this but it not works..

can we certs generate from External authority..?

local machine..?

Hi,

 

just spent two days struggling to make this work in several ways, until I make things this way and it works finally! Thanks for this post

If you need a hand let me know

@Tician Glad it worked for you 🙂

  • 2 accepted solutions
  • 44322 Views
  • 15 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!