Certificate Chain Cannot Be Validated When Importing Signed Certificate

Certificate Chain Cannot Be Validated When Importing Signed Certificate

28403
Created On 04/30/19 05:24 AM - Last Modified 04/30/19 17:31 PM


Symptom


Failed to import the public certificate with an error "Certificate chain cannot be validated. Required CAs not found."

Environment


Certificate Signing Request (CSR) generated in the firewall and sent to public certificate authority.
The Certificate Authority (CA) is not listed in the Default Trusted Certificate Authorities.
All Root CA and Intermediate Root CA certificates are imported to the firewall under Device Certificates (complete certificate chain).


Cause


Check under Device > Certificate Management > Certificates > Device Certificates > Name column to check for any of the following:
- Root CA certificate name contains spaces, and/or
- Intermediate Root CA certificate name contains spaces


Resolution


NOTE: Ensure that original certificate files (Root CA and Intermediate Root CA) exist in the client machine, or export them from the firewall before deleting them.

– Delete Root CA and Intermediate Root CA certificate that have spaces on their names.
– Re-import the certificates in the correct sequence (Root CA > Intermediate Root CA), and use hyphens or underscores to replace spaces.
– Complete the certificate request process by importing the public certificate (ensure the correct certificate name).
– Verify if the certificates form a certificate chain under Device > Certificate Management > Certificates > Device Certificates.
 


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLs7CAG&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language