Certificate Bundle

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Certificate Bundle

L1 Bithead

Hi,

I'm get error on commit: "Warning: cannot find complete cerficate chain for certificate Certificate_Bundle"

I notice there are three bundles in the device certificates, but how do I know which bundle is being used?

How to I test this without breaking it.....

Thanks

6 REPLIES 6

L5 Sessionator

asabadin

Usually we use the certificate at the bottom of the chain. Would it be possible for you to attach the snapshot of the certificate bundle ?

The warning can be safely ignored in some cases as it is always not necessary to import the root certificate on the device.

Thanks

L4 Transporter

asabadin,


Please follow the documents below that might be of assistance to you :


How to Install a Chained Certificate Signed by a Public CA

Fix For Error When Importing Chained PEM Format Certificates - Using Text Editor to Re-order

The bundle will be imported successfully if the certificate chain is proper. The sirst document shows you what is the proper certificate chain.

The second speaks about using a text editor to create a proper certificate chain if the certificate bundle signed by a CA is does not have a proper chain to be imported into PA firewall.

Hope this helps.

Thanks

Sure, here you go......screendump attachedcert.jpg

The bundle in question is the Mercedes_Bundle.

Thanks

asabadin


It seems that the Mercedes_Bundle does not have the proper chain. Can you please refer to the documents I suggested in my previous post?

For you reference:

How to Install a Chained Certificate Signed by a Public CA

Fix For Error When Importing Chained PEM Format Certificates - Using Text Editor to Re-order

Thanks

Hi asabadin

By any chance was there any upgrade performed recently on this device because the issuer field is somehow blank in all these certificates which should not happen ideally ?

Thanks

Hi Asabadin,

You need to export "Mercedes_Bundle" along with the key from the firewall. You can use PEM format and give it a passphrase. Once exported you should be able to open it in notepad. You will see following format :

-----BEGIN CERTIFICATE-----

MIIC5zCCAc+gAwIBAgIBFD..

-----END CERTIFICATE-----

-----BEGIN RSA PRIVATE KEY-----

Proc-Type: 4,ENCRYPTED

DEK-Info: AES-256-CBC,A35588EF895

bPd92JfJYc407emq4

-----END RSA PRIVATE KEY-----

Then open the root certificate in the notepad as well. You will NOT need private key of the root cert. Then go ahead and add root cert below RSA key.

-----BEGIN CERTIFICATE-----

<root cert>

-----END CERTIFICATE-----

So your order should be

Mercedes_Bundle

Mercedes_Bundle key

Root cert


If you have intermediate certificate in the chain, then


Mercedes_Bundle

Mercedes_Bundle key

Intermediate Cert

Root cert

Once you have all in one text file, save it and import it to the firewall. While importing you will need to provide key file, this will be the same cert that we just created (that means brose same cert file twice). Passphrase would be same that you used to export.

Follow following document to achieve that :

How to Install a Chained Certificate Signed by a Public CA

Once successfully imported, do a commit one more time. Warning should go away. Hope this helps. Thank you.

  • 4213 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!