Warning certificate chain not correctly formed in certificate

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Warning certificate chain not correctly formed in certificate

L2 Linker

Hello All

 

I have imported a cerfificate into the PA as a PFX. I have also import the intermediate certs and root CA. The cert is signed by Go Daddy with 2 intermediate certs and a Root CA.

 

All imports fine, but when I get up global protect portal and use the imported cert (from the pfx) I get an error which says "Warning certificate chain not correctly formed in certificate"

 

Thanks everyone 🙂

 

live.png

15 REPLIES 15

L1 Bithead

This is a bit of an old thread, but I think I have a simpler solution.

1. I have a pfx (in it are intermediate certificates, the certificate proper and the private key) secured by a password.

2. I import the pfx into the certificate store (in Windows) and view what certificates are in the certificate chain and more specifically what intermediate center certificates are in the chain. That is, Certificate > Certificate path

3. I export each of them (these intermediate center certificates and Root CA as is) to a separate file: View Certificate > Details > copy to file and saves it as X.509 Certificate encrypted with Base64 algorithm (CER).

4. the same way I export the actual certificate (right click) on the certificate > All Tasks > Export (I check the option Do not export private key) and save it as above (X.509, Base64, CER)

5. from the pfx file I extract the private key (unencrypted)
openssl pkcs12 -in cert.pfx -out file.withkey.pem
openssl rsa -in file.withkey.pem -out file.key


6. so it now has a set of files
- intermediate center certificates (*.cer)
- the file of the actual certificate (*.cer)
- private key file (.key)

7. I enter the PA and import all certificates starting from the first center (i.e. rootCA)

8. importing the right certificate I check Import Private Key, point to the key file and give passphrase

9. commit - no errors or warnings

10. enable certificate to SSL/TLS Service > commit - no errors and warnings

Exporting certs can be done from PA itself but I used windows storage.

Greetings
  • 51635 Views
  • 15 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!