Certificate Chain Cannot Be Validated When Importing Signed Certificate
38747
Created On 04/30/19 05:24 AM - Last Modified 11/04/25 12:49 PM
Symptom
Failed to import the public certificate with an error "Certificate chain cannot be validated. Required CAs not found."
Environment
- NGFW
- Supported PANOS versions
- Certificate Signing Request (CSR) generated in the firewall and sent to public certificate authority.
- The Certificate Authority (CA) is not listed in the Default Trusted Certificate Authorities.
- All Root CA and Intermediate Root CA certificates are imported to the firewall under Device Certificates (complete certificate chain).
Cause
Check under Device > Certificate Management > Certificates > Device Certificates > Name column to check for any of the following:
- Root CA certificate name contains spaces, and/or
- Intermediate Root CA certificate name contains spaces
Resolution
NOTE: Ensure that original certificate files (Root CA and Intermediate Root CA) exist in the client machine, or export them from the firewall before deleting them.
– Delete Root CA and Intermediate Root CA certificate that have spaces on their names.
– Re-import the certificates in the correct sequence (Root CA > Intermediate Root CA), and use hyphens or underscores to replace spaces.
– Complete the certificate request process by importing the public certificate (ensure the correct certificate name).
– Verify if the certificates form a certificate chain under Device > Certificate Management > Certificates > Device Certificates.