Commit Failure due to "Certificate length: xxxxx is greater than the size of buffer"

Commit Failure due to "Certificate length: xxxxx is greater than the size of buffer"

5859
Created On 10/20/23 05:19 AM - Last Modified 01/29/24 08:42 AM


Symptom


  • You've generated a new certificate with its key pair from Panorama or the Firewall, OR
  • You've generated a new certificate with its key pair from an external server and then uploaded/imported the new certificate with or without its key pair.
  • You applied the certificate to the following features, including but not limited to:
    • SSL/TLS Decryption
    • GlobalProtect VPN
    • User Identification
    • High-Availability
    • IPSEC
    • Secure Communication Settings
    • Captive Portal
    • Secure Syslog
    • LDAP over SSL/TLS
    • API Access
  • Commit fails
  • pan_comm_0.log is generating an error similar to the below
2022-04-29 13:25:54.923 -0700 Error: pan_ssl_convert_cert_from_pem_to_der(pan_ssl_policy.c:189): certificate length: 2231 is greater than the size of buffer

Environment


  • PAN-OS 10.2.0 and above
  • Certificates

Cause


  • Before PAN-OS v10.2.0, there was no buffer limit configured for the certificates that PAN-OS utilizes.
  • Starting with PAN-OS v10.2.0, a buffer limit of 2048 bytes was imposed.
  • In PAN-OS v10.2.3, the buffer limit was increased to 4096 bytes.
  • In PAN-OS v10.2.8, v11.1.0, and above, the buffer limit was dynamically allocated based on the certificate size.

Resolution


  1. Upgrade to PAN-OS 10.2.8, v11.1.0, or later versions, as the buffer size will be allocated based on the certificate size.
  2. As an option, consider deleting the current certificate and generating a new one. When doing so, keep the following pointers in mind:
    1. Key Length 
The length of the public key and private key used in the certificate can significantly impact its size. For instance, a 4096-bit RSA key will result in a larger certificate file size than a 2048-bit RSA key . However, be cautious about reducing key length too much, as it can compromise security.
 
  1. Certificate Extensions
Certificates may include various extensions, such as Subject Alternative Name (SAN) or Key Usage. Consider whether all extensions are necessary and remove any that are not required.
 
  1. Elliptic Curve Cryptography (ECC) 
ECC-based certificates generally have smaller key sizes compared to RSA, resulting in smaller certificates with similar security levels.
 
As per Wikipedia ...
 
" 256-bit elliptic curve public key should provide comparable security to a 3072-bit RSA public key."
  1. Remove Unused Information
Ensure that you only include necessary and relevant information in the certificate. Remove any custom or non-standard fields that are not needed.
 
  1. Hash Algorithms 
Be mindful of the hash algorithms used in the certificate. Some hash algorithms, like SHA-256, provide a good balance between security and size. Using SHA-512, for example, would result in larger certificates.

Additional Information


In a concatenated certificate, such as the one mentioned in 'How to Install a Chained Certificate Signed by a Public CA ', note that only the top certificate (referred to as the "Server Cert" in the aforementioned article) will be evaluated concerning the buffer limit size.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008VVACA2&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language