Error message: Peer certificate cannot be authenticated with given CA certificates
47101
Created On 05/16/19 03:25 AM - Last Modified 01/16/21 04:03 AM
Symptom
- When creating the certificate profile and using it in one of the features on the firewall, error on system logs:
Server response: Peer certificate cannot be authenticated with given CA certificates
- Packet capture displays "Unknown CA" after the exchanging of the server certificate packet
Environment
- PAN-OS 9.0
- Palo Alto Firewalls.
- Certificates Configured
Cause
Incorrect Certificate in the certificate Chain causes this error. Either the Root or the Intermediate certificate is not matching correctly.
Resolution
- Check the certificate being used:
Capture the certificate being sent by the "Server" and compare it with the stored certificate on the "Firewall". The server certificate can be found by doing packet capture and navigating to the server key exchange packet.
(Secure Sockets layer > TLS Record layer > Handshake protocol > certificate)
- If cert is incorrect or missing, then download the missing certificate:
- If needed, the Certificate can be downloaded from the Wireshark packet capture of "Server". Use the context menu (right-click) and save the raw data of the certificate with Export Packet Bytes into a file
- With OpenSSL, run openssl x509 -inform der -in cert.der -text to view the certificate
- With OpenSSL, run openssl x509 -inform der -in cert.der -outform pem -out cert.crt to convert cert into PEM format
- Then upload the PEM file to the firewall. Use the new certificate in the certificate profile for the firewall.
- Commit the changes to the Firewall. Now the issue should be resolved.