- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-18-2022 09:22 AM
Hardware: PA220
Version: 10.1.5-h1
I'm trying to use a certificate that appears to be having issues. I first noticed the issue when I attempted to create a certificate profile using a trust root CA. When I try to create the profile, it fails to create and has error message "CA -> *CA NAME* is invalid -> CA is invalid".
I then went to explore the certificate, first making sure the checkbox to trust the certificate was clicked. When I made this change and committed the change, nothing happened.
This is when I decided to delete the certificate and start fresh. When I try to delete the certificate, it has error message "Failed to delete certificate *CA NAME* - Invalid Location / Permission Denied"
Well, I'm signed in as an admin account, so permission can't be accurate. I jumped into the CLI and used command 'request certificate show' to see what might be happening.
The certificate in question was listed, and the correct information was there, but this is where it's a little strange. The certificate actually had two names. The first name was from another certificate that isn't experiencing issues. The second name was the correct name.
I decided to remove the other certificate to see if that would fix anything (this certificate wasn't being used, so removing it was fine). This didn't actually fix anything, but it did remove the second name from the certificate when I perform that command again.
I tried uploading the certificate again, which was successful, but didn't resolve the issue. The original certificate is still there with problems. Now the FW reports a duplicate certificate any time I make changes. Also, when I try to import certificates signed by this CA, those certs are listed under the problem certificate. I'm not entirely sure what's happening here, but it is affecting the use of certain certificates.
I recently upgraded my FW from version 10.0.9 to 10.1.5-h1. Not sure if that could be the issue, but this problem only occurred after the upgrade.
04-21-2022 02:26 AM
I'd try to 'revert to running' so the candidate config is overwritten with that is actually installed on the dataplane. That way, if for some reason something got 'corrupted' in the candidate config XML, the config is fixed
04-21-2022 07:13 AM
Thanks for the response, however, we're far past that point. This became an issue after upgrading the FW. I believe I'm going to have to downgrade and restore the previously saved config, then try to upgrade again. Maybe I'll remove the cert first. I hoped for a better solution, but I have been unsuccessful.
06-23-2023 08:38 AM
@mimran, you may be right with that. I believe the certificate was name Let's Encrypt. I have move passed this issue, but can say I never resolved it. I did upgrade from the PA-220 since then, and do not have this same issue on the new device.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!