This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Warning certificate chain not correctly formed in certificate

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Warning certificate chain not correctly formed in certificate

Go to solution
Nick.Spender
L2 Linker

‎03-05-2018 12:09 PM

Hello All

 

I have imported a cerfificate into the PA as a PFX. I have also import the intermediate certs and root CA. The cert is signed by Go Daddy with 2 intermediate certs and a Root CA.

 

All imports fine, but when I get up global protect portal and use the imported cert (from the pfx) I get an error which says "Warning certificate chain not correctly formed in certificate"

 

Thanks everyone 🙂

 

live.png

3 people had this problem.
0 Likes Likes
15 REPLIES 15

Go to solution
Jacek_Loszewski
L1 Bithead

‎02-20-2024 01:21 AM

This is a bit of an old thread, but I think I have a simpler solution.

1. I have a pfx (in it are intermediate certificates, the certificate proper and the private key) secured by a password.

2. I import the pfx into the certificate store (in Windows) and view what certificates are in the certificate chain and more specifically what intermediate center certificates are in the chain. That is, Certificate > Certificate path

3. I export each of them (these intermediate center certificates and Root CA as is) to a separate file: View Certificate > Details > copy to file and saves it as X.509 Certificate encrypted with Base64 algorithm (CER).

4. the same way I export the actual certificate (right click) on the certificate > All Tasks > Export (I check the option Do not export private key) and save it as above (X.509, Base64, CER)

5. from the pfx file I extract the private key (unencrypted)
openssl pkcs12 -in cert.pfx -out file.withkey.pem
openssl rsa -in file.withkey.pem -out file.key


6. so it now has a set of files
- intermediate center certificates (*.cer)
- the file of the actual certificate (*.cer)
- private key file (.key)

7. I enter the PA and import all certificates starting from the first center (i.e. rootCA)

8. importing the right certificate I check Import Private Key, point to the key file and give passphrase

9. commit - no errors or warnings

10. enable certificate to SSL/TLS Service > commit - no errors and warnings

Exporting certs can be done from PA itself but I used windows storage.

Greetings
0 Likes Likes
  • 44892 Views
  • 15 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks