07-27-2023 03:20 AM
Hello,
We have a new firewall, PA-460 model. The panos version is 10.2.4-h2.
I have a problem for define the Forward Trust certificate for the decryption.
The certificate i want to declare for Forward trust is a root certificate of our domain.
I import the certificate with is private key in pkcs12.
When i check the case "Forward Trust Certificate" or "Trusted Root CA", i can validate the commit but when i push the commit, i have this error :
Partial changes to commit: changes to configuration by administrators: admin
Changes to shared configuration
Error: Certificate failed to load: invalid certificate chain
Error preparing global objects
failed to handle CONFIG_UPDATE_START
(Module: device)
client device phase 1 failure
Commit failed
i have a vm for test, and the problem is the same, i tried to import the certificate in pem, and update to panos 10.2.4-h3 but same error.
Someone have an idea to fix this problem ?
I can't active decryption for now.
07-27-2023 04:29 AM
open the certificate with a notepad, you may have to only keep the actual cert.
PCSNE - CISSP
Best Effort contributor
Check out our PANCast Channel
Disclaimer : All messages are my personal ones and do not represent my company's view in any way.
07-27-2023 04:20 AM
Hello Charrier,
Have you tried to reimport the certificate in PEM format?
You need to play with openssl to convert it.
Olivier
PCSNE - CISSP
Best Effort contributor
Check out our PANCast Channel
Disclaimer : All messages are my personal ones and do not represent my company's view in any way.
07-27-2023 04:26 AM
Yes i tried, i convert the certificate pkcs12 in 2 pem file, one with certificate, and one with key and reimport it. but same error.
07-27-2023 04:29 AM
open the certificate with a notepad, you may have to only keep the actual cert.
PCSNE - CISSP
Best Effort contributor
Check out our PANCast Channel
Disclaimer : All messages are my personal ones and do not represent my company's view in any way.
07-27-2023 06:10 AM - edited 07-27-2023 06:10 AM
Thanks for the advice, I open the pem file in notepad, and i saw 2 certificate in this file.
When i import this file in palo, his show me only 1 certificate but 2 was in the file, that's why i have the invalid certification chain.
When i export the root ca since the certification authority, this export 2 root ca certificate.
I split the file in 2 pem file, make the same things for the keys.
Then i see the difference when i upload in the palo. 2 differents expires date.
Then i can declare one Forward Trust Certificate and active decryption.
Thanks
07-27-2023 09:27 AM
Hello Charrier,
Good your issue is resolved.
If you have some time, I invite you to read/listen the PANCast Episode 9 about SSL Decryption.
Maybe it can help you to complete your setup too.
Olivier
PCSNE - CISSP
Best Effort contributor
Check out our PANCast Channel
Disclaimer : All messages are my personal ones and do not represent my company's view in any way.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
