Unable to form chain of signed certificate with issuer CA certificates
8911
Created On 12/07/19 00:01 AM - Last Modified 05/11/20 21:26 PM
Symptom
After importing certificate signed by your CA to your Firewall/Panorama , Certificate chain is not formed correctly as seen using GUI: Device/Panorama > Certificate Management > Certificates
Environment
- PAN-OS 8.1 and above.
- Palo Alto Firewall.
- Certificate used in Palo Alto device (Firewall/Panorama) is about to expire and want to have it renewed.
Cause
- When CA signs certificate, they may issue 2 certificates as part of signed certificate package.
- One of them will have only chain of issuers and the second one will have full chain including the certificate for which you generated CSR for.
- If you load the certificate that does not have signed certificate at the end of chain (bottom most one), it will not form chain after importing to the Firewall/Panorama is as expected
Resolution
- Check if both of certificates are received from CA as part of the signed certificate package. To do this, open the certificates from a PC, by doing a double click and then check certificate path from the tab and check the chain.
- The certificate that has complete path including the leaf certificate for which you generated original CSR from Palo Alto Networks Firewall/Panorama needs to be imported to Firewall/Panorama
- Once you import the correct certificate as indicated above, you will see it form a chain with issuer certificates those present under GUI: Device/Panorama > Certificate Management > Certificates