Warning certificate chain not correctly formed in certificate

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Warning certificate chain not correctly formed in certificate

L2 Linker

Hello All

 

I have imported a cerfificate into the PA as a PFX. I have also import the intermediate certs and root CA. The cert is signed by Go Daddy with 2 intermediate certs and a Root CA.

 

All imports fine, but when I get up global protect portal and use the imported cert (from the pfx) I get an error which says "Warning certificate chain not correctly formed in certificate"

 

Thanks everyone 🙂

 

live.png

2 ACCEPTED SOLUTIONS

Accepted Solutions

@gwesson

 

Hello, I seemed to have fixxed, using a different method. So I have the cert import into my windows machine with the private keys. I then exported the certs as a *.p7b and selected include all certs in the chain. Sure enought in winodws the order is wrong. wheather im reading into that or not is a different quiestion. 

 

I then imported my pfx cert back into the PA. Then exported it as a PEM with the private keys. I copied the private keys into a text file and saved it. i then remove all certs aparted from my domain cert. 

 

I then removed all certs from the PA, I thern imported the cert back into the PA as a PEM and seletected the "key File".

 

Then imported each of the Intermediate CAs (2) as .cer

 

No errors when commiting, globalprotect portal webpage shows secure and green in the url bar. Global Protect connects fine with no errors.

 

 

Dose the above sound OK to you?

View solution in original post

14 REPLIES 14

L7 Applicator

The root should not be imported (the client won't use it and the firewall already trusts it). Did you check out the Chained Certificate doc?

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Install-a-Chained-Certificate-Signed...

 

A lot of times, cert chains provided by the CA are overly inclusive, and can contain several intermediate CAs that are not used. It's probably best to take the individual certs and combine them as described in that article.

@gwesson

 

Thanks for you reply, ok so i dont need the Root CA. How about the intermediate certs? I have read the article you provided. But I have the cert as a pfx with the private keys. shall I work on the bottom part of the article....."workaround"?

 

 

Thanks 🙂

No, you just need to split the PFX file into multiple certs. Usually a public CA will provide you a plain text version in addition to the PFX, but if they don't you may need to convert it with OpenSSL

 

openssl pkcs12 -in OriginalCert.pfx -out NewTargetCert.pem -nodes

Once you have it converted to PEM, open it in a plain text editor, split the files into individual certs saving each as their own file (.cer). You can then open each of those files to confirm where it belongs in the chain and can then follow the article I wrote from the first reply.

 

Cheers! 

@gwesson

 

Stupid question, Cant I export as a PEM and split it that way. As your article says at thr bottom?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!