03-05-2018 12:09 PM
Hello All
I have imported a cerfificate into the PA as a PFX. I have also import the intermediate certs and root CA. The cert is signed by Go Daddy with 2 intermediate certs and a Root CA.
All imports fine, but when I get up global protect portal and use the imported cert (from the pfx) I get an error which says "Warning certificate chain not correctly formed in certificate"
Thanks everyone 🙂
03-06-2018 03:37 AM
Hello, I seemed to have fixxed, using a different method. So I have the cert import into my windows machine with the private keys. I then exported the certs as a *.p7b and selected include all certs in the chain. Sure enought in winodws the order is wrong. wheather im reading into that or not is a different quiestion.
I then imported my pfx cert back into the PA. Then exported it as a PEM with the private keys. I copied the private keys into a text file and saved it. i then remove all certs aparted from my domain cert.
I then removed all certs from the PA, I thern imported the cert back into the PA as a PEM and seletected the "key File".
Then imported each of the Intermediate CAs (2) as .cer
No errors when commiting, globalprotect portal webpage shows secure and green in the url bar. Global Protect connects fine with no errors.
Dose the above sound OK to you?
03-05-2018 01:45 PM - edited 03-05-2018 01:46 PM
The root should not be imported (the client won't use it and the firewall already trusts it). Did you check out the Chained Certificate doc?
A lot of times, cert chains provided by the CA are overly inclusive, and can contain several intermediate CAs that are not used. It's probably best to take the individual certs and combine them as described in that article.
03-05-2018 01:55 PM
Thanks for you reply, ok so i dont need the Root CA. How about the intermediate certs? I have read the article you provided. But I have the cert as a pfx with the private keys. shall I work on the bottom part of the article....."workaround"?
Thanks 🙂
03-05-2018 02:08 PM
No, you just need to split the PFX file into multiple certs. Usually a public CA will provide you a plain text version in addition to the PFX, but if they don't you may need to convert it with OpenSSL
openssl pkcs12 -in OriginalCert.pfx -out NewTargetCert.pem -nodes
Once you have it converted to PEM, open it in a plain text editor, split the files into individual certs saving each as their own file (.cer). You can then open each of those files to confirm where it belongs in the chain and can then follow the article I wrote from the first reply.
Cheers!
03-05-2018 02:12 PM
Stupid question, Cant I export as a PEM and split it that way. As your article says at thr bottom?
03-05-2018 02:13 PM
@Nick.Spender You have to import it correctly before you can export it in a way that's helpful. If you export it now, with the chain incorrectly formed, I don't know what the reprocussions will be.
03-05-2018 02:16 PM
I just exported as a PEM from the firewall and the order was completeley wrong. So yes you are correct. I reordered them correctly. Removed the certs from the PA and reimported. But it only shows 1 cert once it finished importing?
03-05-2018 05:28 PM
Seems like the chained cert is somehow wrong, my guess would be that it's not the correct intermediate(s).
If you can just open your final cert in the list (the Wildcard cert) into a Windows system or else pull it up in a browser that displays the cert with the chain, you can export each of those and be totally sure you've got the right set of certs.
If you need additional help getting it to work, I may not be able to continue to reply and you might want to open a support case.
Best of luck!
03-06-2018 03:37 AM
Hello, I seemed to have fixxed, using a different method. So I have the cert import into my windows machine with the private keys. I then exported the certs as a *.p7b and selected include all certs in the chain. Sure enought in winodws the order is wrong. wheather im reading into that or not is a different quiestion.
I then imported my pfx cert back into the PA. Then exported it as a PEM with the private keys. I copied the private keys into a text file and saved it. i then remove all certs aparted from my domain cert.
I then removed all certs from the PA, I thern imported the cert back into the PA as a PEM and seletected the "key File".
Then imported each of the Intermediate CAs (2) as .cer
No errors when commiting, globalprotect portal webpage shows secure and green in the url bar. Global Protect connects fine with no errors.
Dose the above sound OK to you?
11-22-2021 12:46 PM
we tried this but it not works..
11-22-2021 12:52 PM
can we certs generate from External authority..?
local machine..?
09-12-2022 03:42 AM
Hi,
just spent two days struggling to make this work in several ways, until I make things this way and it works finally! Thanks for this post
09-13-2022 01:04 PM
If you need a hand let me know
09-13-2022 01:05 PM
@Tician Glad it worked for you 🙂
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
