Error: Certificate chain cannot be validated, required CAs not found in FIPS-CC mode.

Error: Certificate chain cannot be validated, required CAs not found in FIPS-CC mode.

2540

Created On 04/15/24 04:00 AM - Last Modified 05/20/24 22:43 PM

Templates

Certificate Management

Certification

2.1.2 Panorama Managed

8.0 and above

PAN-OS

Panorama

Next-Generation Firewall

Symptom

Attempting to add a leaf certificate to a template within a stack in FIPS-CC mode.
Error message "Certificate chain cannot be validated, required CAs not found." is displayed.

Environment

Panorama in FIPS-CC mode.
PAN-OS 8.1 and above
Firewall in FIPS-CC mode.

Cause

The required root certificate is not found in the template.
In FIPS-CC mode all necessary certificates, including the root certificate, must be present in the template where leaf certificates are being imported.

Resolution

Ensure that the root certificate is available in the template along with any intermediate certificates before import of the leaf certificate.
This is by design in FIPS-CC mode as extra validation is in place.

Additional Information

Example:

Create a template stack and added two templates to the stack: `global-test` and `firewall-test`.
global-test: This template includes both the root and intermediate certificates.
firewall-test: Here attempt to add a leaf certificate to this template. Since the root and intermediate certificates. are not in this template, "Certificate chain cannot be validated, required CAs not found" is displayed in FIPS mode.

Note:

The above scenario works in normal mode but not in FIPS-CC mode.
This is due to heightened security measures mandated by FIPS-CC mode.