10-13-2014 08:52 PM
Hi,
I'm get error on commit: "Warning: cannot find complete cerficate chain for certificate Certificate_Bundle"
I notice there are three bundles in the device certificates, but how do I know which bundle is being used?
How to I test this without breaking it.....
Thanks
10-13-2014 08:55 PM
Usually we use the certificate at the bottom of the chain. Would it be possible for you to attach the snapshot of the certificate bundle ?
The warning can be safely ignored in some cases as it is always not necessary to import the root certificate on the device.
Thanks
10-13-2014 11:35 PM
Please follow the documents below that might be of assistance to you :
How to Install a Chained Certificate Signed by a Public CA
Fix For Error When Importing Chained PEM Format Certificates - Using Text Editor to Re-order
The bundle will be imported successfully if the certificate chain is proper. The sirst document shows you what is the proper certificate chain.
The second speaks about using a text editor to create a proper certificate chain if the certificate bundle signed by a CA is does not have a proper chain to be imported into PA firewall.
Hope this helps.
Thanks
10-14-2014 03:56 PM
Sure, here you go......screendump attached
The bundle in question is the Mercedes_Bundle.
Thanks
10-14-2014 05:19 PM
It seems that the Mercedes_Bundle does not have the proper chain. Can you please refer to the documents I suggested in my previous post?
For you reference:
How to Install a Chained Certificate Signed by a Public CA
Fix For Error When Importing Chained PEM Format Certificates - Using Text Editor to Re-order
Thanks
10-14-2014 05:50 PM
Hi asabadin
By any chance was there any upgrade performed recently on this device because the issuer field is somehow blank in all these certificates which should not happen ideally ?
Thanks
10-14-2014 07:00 PM
Hi Asabadin,
You need to export "Mercedes_Bundle" along with the key from the firewall. You can use PEM format and give it a passphrase. Once exported you should be able to open it in notepad. You will see following format :
-----BEGIN CERTIFICATE-----
MIIC5zCCAc+gAwIBAgIBFD..
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,A35588EF895
bPd92JfJYc407emq4
-----END RSA PRIVATE KEY-----
Then open the root certificate in the notepad as well. You will NOT need private key of the root cert. Then go ahead and add root cert below RSA key.
-----BEGIN CERTIFICATE-----
<root cert>
-----END CERTIFICATE-----
So your order should be
Mercedes_Bundle
Mercedes_Bundle key
Root cert
If you have intermediate certificate in the chain, then
Mercedes_Bundle
Mercedes_Bundle key
Intermediate Cert
Root cert
Once you have all in one text file, save it and import it to the firewall. While importing you will need to provide key file, this will be the same cert that we just created (that means brose same cert file twice). Passphrase would be same that you used to export.
Follow following document to achieve that :
How to Install a Chained Certificate Signed by a Public CA
Once successfully imported, do a commit one more time. Warning should go away. Hope this helps. Thank you.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
