Palo Alto Networks Knowledgebase: Fix For Error When Importing Chained PEM Format Certificates - Using Text Editor to Re-order

Fix For Error When Importing Chained PEM Format Certificates - Using Text Editor to Re-order

10562
Created On 02/07/19 23:46 PM - Last Updated 02/07/19 23:46 PM
Resolution

It applies to PANOS version 5.0 +

This is an addendum to a previous KB https://live.paloaltonetworks.com/docs/DOC-4289 by gwesson https://live.paloaltonetworks.com/people/gwesson

---

This article applies if you receive a chained certificate from your CA which is reverse ordered (Root CA at top), and you cannot view it properly in the Windows  "Certificate tool", or "Keytool Access" (Mac). It discusses "PEM" formatted certificates (X509 Ascii Base64 encoded). In this case, you may receive an error when importing the chained certificate file, that "public key does not match private key."

Chained certificates are certificates signed by an Intermediate  Certificate Authoritiy (CA). An Intermediate Certificate Authority is signed by a root CA, or another intermediate. The final certificate in the chain is a root CA. See: http://en.wikipedia.org/wiki/Intermediate_certificate_authorities .

Many certificates issued by a public CA (e.g. Verisign, Comodo, Thawte, ) are chained. For these,  to import the whole "chain" into the PA firewall,  you can use  a text file which "bundles" all of the certs in the chain (the root CA  is optional) in a single file. This is  an (X509 ASCII Base64) "PEM" formatted certificate file.  For the PA Firewall to import, the certificates presented in the file must be ordered as: 1. Server Certificate 2. Intermediate (IE CA which signed 1.  ) 3. Root CA . This is described in detail in https://live.paloaltonetworks.com/docs/DOC-4289

Assume you created the CSR on the PA firewall yourself, exported it, and  submitted it to the CA, as described using this handy article https://live.paloaltonetworks.com/docs/DOC-4232

Your CA may  provide numerous  file formats for the signed cert they send you. One of them may be called  'Chained' or 'Bundled" or 'Server and  Intermediates'. The extension should be .pem, .cer or .crt . If you open the file with a text editor (e.g. notepad on Windows, textedit on Mac, or vi or gedit on Linux) you will see:

"-----BEGIN CERTIFICATE-----"

<a bunch of unintelligible characters1>

"-----END CERTIFICATE-----"

"-----BEGIN CERTIFICATE-----"

<a bunch of unintelligible characters>

"-----END CERTIFICATE-----"

"-----BEGIN CERTIFICATE-----"
<a bunch of unintelligible characters>
"-----END CERTIFICATE-----"

You can see that there are three certs, but not the order of the certificates in the file since it is encoded.

I know from bitter experience, (with a certificate from Comodo) that the failure message if the individual certs in the file are  ordered with the root CA on top will be  "The private key does not match the public key."  When  importing,the PA firewall assumes the Server Cert is the first cert.  If you examine the bundled cert file using native tools on Windows(Certificate tool) or Mac (Keychain access), it will only display the first certificate in the file.   if this happens,  and the file is PEM format, not pkcs7 or pkcs12, you can still successfully change the order of the certificates with your text editor, by simply swapping the first "chunk" with the last "chunk" above, and attempting a re-import to your Firewall.

In linux, all certificates show and the reverse order is shown. This is a sample of a "reverse ordered" certificate in the Linux 'certificate viewer'.

certs.png

In addition,  you can import pkcs-12 format certificates to the PA, but you can't manipulate these via cut and paste, since they are encrypted and not ASCII.



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClqzCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language