Certificate import error - Import of Certificate failed. Failed to extract certificate.

Certificate import error - Import of Certificate failed. Failed to extract certificate.

148734
Created On 09/25/18 17:30 PM - Last Modified 01/08/21 00:28 AM


Symptom


Sometimes when you try to import a certificate to the Palo Alto Networks firewall you might see this error "Import of Certificate failed. Failed to extract certificate." In this example, we are using the certificate DigiCert High Assurance CA-3.

Screenshot_8.png

Environment


  • Palo Alto Firewall
  • PAN-OS Any
  • Certificate Import

Cause


The certificate format is not feasible with Palo Alto Networks, causing the error message to be displayed.

This is what the certificate looks like in Notepad:

Screenshot_3.png

Resolution


  1. Save the certificate to the desktop.
  2. Open the cert and copy it to a file and, while saving, use the option "Base-64 encoded C.509 (.CER) format."
    If you open the new cert in notepad it should look clean.
  3. Re-import the new certificate and it should be successful.

 

Screenshot_1.pngScreenshot_2.pngScreenshot_3.png

What it looks like in notepad after exporting.

Screenshot_5.png

Screenshot_6.png

After the Cert is imported:

2017-12-18_cert1.jpg

Additional Information


Note:
The windows copy does not copy the private keys. If you have private keys, use the Windows Certificate Server (CA authority) and use PKCS (.PFX) format
The certificates generated on Palo Alto Firewall can be exported with the private keys directly ( GUI: Device > Certificate Management > Certificates > (select the certificate) > Export Certificate)        
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGSCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language