Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Can't define Forward Trust certificate

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Can't define Forward Trust certificate

L2 Linker

Hello,

 

We have a new firewall, PA-460 model. The panos version is 10.2.4-h2.

I have a problem for define the Forward Trust certificate for the decryption.

The certificate i want to declare for Forward trust is a root certificate of our domain.

I import the certificate with is private key in pkcs12.

When i check the case "Forward Trust  Certificate" or "Trusted Root CA", i can validate the commit but when i push the commit, i have this error :

 

Partial changes to commit: changes to configuration by administrators: admin
Changes to shared configuration
Error: Certificate failed to load: invalid certificate chain
Error preparing global objects
failed to handle CONFIG_UPDATE_START
(Module: device)
client device phase 1 failure
Commit failed

 

i have a vm for test, and the problem is the same, i tried to import the certificate in pem, and update to panos 10.2.4-h3 but same error.

 

Someone have an idea to fix this problem ?

I can't active decryption for now.

 

1 accepted solution

Accepted Solutions

open the certificate with a notepad, you may have to only keep the actual cert.

PCSNE - CISSP

Best Effort contributor

Check out our PANCast Channel

Disclaimer : All messages are my personal ones and do not represent my company's view in any way.

View solution in original post

5 REPLIES 5

L4 Transporter

Hello Charrier,

 

Have you tried to reimport the certificate in PEM format?

You need to play with openssl to convert it.

 

Olivier

PCSNE - CISSP

Best Effort contributor

Check out our PANCast Channel

Disclaimer : All messages are my personal ones and do not represent my company's view in any way.

Yes i tried, i convert the certificate pkcs12 in 2 pem file, one with certificate, and one with key and reimport it. but same error.

open the certificate with a notepad, you may have to only keep the actual cert.

PCSNE - CISSP

Best Effort contributor

Check out our PANCast Channel

Disclaimer : All messages are my personal ones and do not represent my company's view in any way.

L2 Linker

Thanks for the advice, I open the pem file in notepad, and i saw 2 certificate in this file.

When i import this file in palo, his show me only 1 certificate but 2 was in the file, that's why i have the invalid certification chain.

When i export the root ca since the certification authority, this export 2 root ca certificate.

 

I split the file in 2 pem file, make the same things for the keys.

 

Then i see the difference when i upload in the palo. 2 differents expires date.

 

Then i can declare one Forward Trust Certificate and active decryption.

 

Thanks

 

Hello Charrier,

 

Good your issue is resolved.

If you have some time, I invite you to read/listen the PANCast Episode 9 about SSL Decryption.

Maybe it can help you to complete your setup too.

 

Olivier

PCSNE - CISSP

Best Effort contributor

Check out our PANCast Channel

Disclaimer : All messages are my personal ones and do not represent my company's view in any way.

  • 1 accepted solution
  • 1918 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!