This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Warning certificate chain not correctly formed in certificate

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Warning certificate chain not correctly formed in certificate

Go to solution
Nick.Spender
L2 Linker

‎03-05-2018 12:09 PM

Hello All

 

I have imported a cerfificate into the PA as a PFX. I have also import the intermediate certs and root CA. The cert is signed by Go Daddy with 2 intermediate certs and a Root CA.

 

All imports fine, but when I get up global protect portal and use the imported cert (from the pfx) I get an error which says "Warning certificate chain not correctly formed in certificate"

 

Thanks everyone 🙂

 

live.png

4 people had this problem.
0 Likes Likes
18 REPLIES 18

Go to solution
Jacek_Loszewski
L1 Bithead

‎02-20-2024 01:21 AM

This is a bit of an old thread, but I think I have a simpler solution.

1. I have a pfx (in it are intermediate certificates, the certificate proper and the private key) secured by a password.

2. I import the pfx into the certificate store (in Windows) and view what certificates are in the certificate chain and more specifically what intermediate center certificates are in the chain. That is, Certificate > Certificate path

3. I export each of them (these intermediate center certificates and Root CA as is) to a separate file: View Certificate > Details > copy to file and saves it as X.509 Certificate encrypted with Base64 algorithm (CER).

4. the same way I export the actual certificate (right click) on the certificate > All Tasks > Export (I check the option Do not export private key) and save it as above (X.509, Base64, CER)

5. from the pfx file I extract the private key (unencrypted)
openssl pkcs12 -in cert.pfx -out file.withkey.pem
openssl rsa -in file.withkey.pem -out file.key


6. so it now has a set of files
- intermediate center certificates (*.cer)
- the file of the actual certificate (*.cer)
- private key file (.key)

7. I enter the PA and import all certificates starting from the first center (i.e. rootCA)

8. importing the right certificate I check Import Private Key, point to the key file and give passphrase

9. commit - no errors or warnings

10. enable certificate to SSL/TLS Service > commit - no errors and warnings

Exporting certs can be done from PA itself but I used windows storage.

Greetings
0 Likes Likes

Go to solution
gabe
L1 Bithead
In response to Nick.Spender

‎08-07-2025 01:29 AM

can the poorly imported certificate be the reason for this error message?

 

SSL connect select error: 0(Resource temporarily unavailable), time left: 0
P26083-T33415 08/07/2025 00:31:33:272 Debug( 468): SSL connect failed
P26083-T33415 08/07/2025 00:31:33:272 Debug( 66): detailed SSL error info:
P26083-T33415 08/07/2025 00:31:33:272 Debug( 956): connect() failed
P26083-T33415 08/07/2025 00:31:33:272 Debug(3388): ConnectSSL: Failed to connect to 'gw2.vpn.ourdomain.com:443'. Disconnect ssl.

 

...and can the poorly imported certificate chain be the reason the connection fails?

0 Likes Likes

Go to solution
kiwi
Community Team Member

‎08-07-2025 06:56 AM

Hi @gabe ,

 

The error you're seeing indicates a problem with the TCP connection, not the SSL certificate.

An SSL certificate error, such as an expired certificate or an untrusted certificate chain, would happen after a successful TCP connection has been made and the SSL handshake has begun.

 

The connect failted error leads to believe the TCP connection to the GW is failing. The client never successfully establishes a session with the server.

My guess is the network connection is unreachable or the gateway is unresponsive resulting in the error message you're seeing.

 

Initial things I'd verify are that the GP client must be able to resolve the FQDN of the portal and gateway ; traffic to the GP portal or gateway isn't blocked by a firewall ; traffic is routed properly.  Are you able to browse to the GP portal is a great initial test to try?

 

Kind regards,

-Kim

 

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
0 Likes Likes

Go to solution
gabe
L1 Bithead
In response to kiwi

‎08-07-2025 11:49 AM

hi kiwi thanks for your input i have the problem's own topic if you wouldn't mind taking a look at it. i don't want to advertise the link here maybe it's not allowed/nice. please let me know if i can send it in private or if you can find it under my profile.

thanks

0 Likes Likes
  • 57924 Views
  • 18 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks