Certificate import error - Import of Certificate failed. Failed to extract certificate.
179533
Created On 09/25/18 17:30 PM - Last Modified 01/08/21 00:28 AM
Symptom
Sometimes when you try to import a certificate to the Palo Alto Networks firewall you might see this error "Import of Certificate failed. Failed to extract certificate." In this example, we are using the certificate DigiCert High Assurance CA-3.
Environment
- Palo Alto Firewall
- PAN-OS Any
- Certificate Import
Cause
The certificate format is not feasible with Palo Alto Networks, causing the error message to be displayed.
This is what the certificate looks like in Notepad:
Resolution
- Save the certificate to the desktop.
- Open the cert and copy it to a file and, while saving, use the option "Base-64 encoded C.509 (.CER) format."
If you open the new cert in notepad it should look clean. - Re-import the new certificate and it should be successful.
What it looks like in notepad after exporting.
After the Cert is imported:
Additional Information
Note:
The windows copy does not copy the private keys. If you have private keys, use the Windows Certificate Server (CA authority) and use PKCS (.PFX) format
The certificates generated on Palo Alto Firewall can be exported with the private keys directly ( GUI: Device > Certificate Management > Certificates > (select the certificate) > Export Certificate)