Commit warning: certificate chain not correctly formed in certificate

Commit warning: certificate chain not correctly formed in certificate

30754
Created On 01/13/21 09:05 AM - Last Modified 11/03/22 03:17 AM


Symptom


  • The certificate is a CA cert generated outside of the firewall with private key not stored on the Palo Alto NGFW.
  • The certificate is in PFX format and import with passphrase is successful but every commit gives warning message about the certificate chain after enabling forward trust on the cert.
  • A log snippet from ms.log (less mp-log ms.log) displays the following
Warning: pan_fill_ca(pan_config_parser_net.c:9144): certificate chain not correctly formed in certificate FWTrust

 


Environment


  • Palo Alto Firewall
  • Supported PAN-OS
  • Certificates
  • CSR was not generated on firewall.
Note: CSR = Certificate Signing Request


Cause


Here, the imported certificate bundle has certificates in incorrect sequence and thus the chain error is generated.
Typically, the correct order of certificates in a bundle is as below.
  1. End-user Certificate - Issued to: example.com; Issued By: IntermediateCert1
  2. Intermediate Certificate 1 - Issued to: IntermediateCert1; Issued By: IntermediateCert2
  3. Intermediate Certificate 2 - Issued to: IntermediateCert2; Issued By: Root certificate
  4. Root certificate - Issued to and Issued By: Root certificate.


Resolution


To fix the issue, request the certificate vendor to provide the certificate with correct sequence. It can also be fixed  by modifying the certificate using openssl. 
 
  1. Get the Certificate in a .PFX file format
  2. Convert .PFX file to a .PEM file format and make a copy for safekeeping.
  3. Open the .Pem file in a text editor. 
  4. Move certificates in correct sequence as mentioned above. 
  5. Import the .PEM combined file to firewall with private key.
openssl pkcs12 -in cert.pfx -out file.nokey.pem -nokeys
openssl pkcs12 -in cert.pfx -out file.withkey.pem
openssl rsa -in file.withkey.pem -out file.key
cat file.nokey.pem file.key > file.combo.pem

Note:
  • Here the file.combo.pem is the certificate with the private key in it and the sequence should be correct as well. The file can be easily opened in a text editor to validate.
  • Import the .pem file directly to NGFW and select the import the private key checkbox. 
  • Do not select a file as the key is already in the .pem file. Provide the passphrase and import.
  • Now, the certificate should not cause any errors during the commit process. 



 


Additional Information


This is not an issue with the Palo Alto Firewall, but the problem with the certificate itself.

Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCI3CAO&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language