This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Warning certificate chain not correctly formed in certificate

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Warning certificate chain not correctly formed in certificate

Go to solution
Nick.Spender
L2 Linker

‎03-05-2018 12:09 PM

Hello All

 

I have imported a cerfificate into the PA as a PFX. I have also import the intermediate certs and root CA. The cert is signed by Go Daddy with 2 intermediate certs and a Root CA.

 

All imports fine, but when I get up global protect portal and use the imported cert (from the pfx) I get an error which says "Warning certificate chain not correctly formed in certificate"

 

Thanks everyone 🙂

 

live.png

2 people had this problem.
0 Likes Likes
14 REPLIES 14

Go to solution
gwesson
L7 Applicator
In response to Nick.Spender

‎03-05-2018 02:13 PM

@Nick.Spender You have to import it correctly before you can export it in a way that's helpful. If you export it now, with the chain incorrectly formed, I don't know what the reprocussions will be. 

0 Likes Likes

Go to solution
Nick.Spender
L2 Linker
In response to gwesson

‎03-05-2018 02:16 PM

@gwesson

 

I just exported as a PEM from the firewall and the order was completeley wrong. So yes you are correct. I reordered them correctly. Removed the certs from the PA and reimported. But it only shows 1 cert once it finished importing?

0 Likes Likes

Go to solution
gwesson
L7 Applicator
In response to Nick.Spender

‎03-05-2018 05:28 PM

Seems like the chained cert is somehow wrong, my guess would be that it's not the correct intermediate(s). 

If you can just open your final cert in the list (the Wildcard cert) into a Windows system or else pull it up in a browser that displays the cert with the chain, you can export each of those and be totally sure you've got the right set of certs.

 

If you need additional help getting it to work, I may not be able to continue to reply and you might want to open a support case.

 

Best of luck!

0 Likes Likes

Go to solution
Nick.Spender
L2 Linker
In response to gwesson

‎03-06-2018 03:37 AM

@gwesson

 

Hello, I seemed to have fixxed, using a different method. So I have the cert import into my windows machine with the private keys. I then exported the certs as a *.p7b and selected include all certs in the chain. Sure enought in winodws the order is wrong. wheather im reading into that or not is a different quiestion. 

 

I then imported my pfx cert back into the PA. Then exported it as a PEM with the private keys. I copied the private keys into a text file and saved it. i then remove all certs aparted from my domain cert. 

 

I then removed all certs from the PA, I thern imported the cert back into the PA as a PEM and seletected the "key File".

 

Then imported each of the Intermediate CAs (2) as .cer

 

No errors when commiting, globalprotect portal webpage shows secure and green in the url bar. Global Protect connects fine with no errors.

 

 

Dose the above sound OK to you?

(2)

Go to solution
SysOps_PB
L0 Member
In response to Nick.Spender

‎06-26-2019 01:51 AM

@Nick.Spender thanks. That worked.. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks