Commit warning: certificate chain not correctly formed in certificate
30754
Created On 01/13/21 09:05 AM - Last Modified 11/03/22 03:17 AM
Symptom
- The certificate is a CA cert generated outside of the firewall with private key not stored on the Palo Alto NGFW.
- The certificate is in PFX format and import with passphrase is successful but every commit gives warning message about the certificate chain after enabling forward trust on the cert.
- A log snippet from ms.log (less mp-log ms.log) displays the following
Warning: pan_fill_ca(pan_config_parser_net.c:9144): certificate chain not correctly formed in certificate FWTrust
Environment
- Palo Alto Firewall
- Supported PAN-OS
- Certificates
- CSR was not generated on firewall.
Cause
Here, the imported certificate bundle has certificates in incorrect sequence and thus the chain error is generated.
Typically, the correct order of certificates in a bundle is as below.
- End-user Certificate - Issued to: example.com; Issued By: IntermediateCert1
- Intermediate Certificate 1 - Issued to: IntermediateCert1; Issued By: IntermediateCert2
- Intermediate Certificate 2 - Issued to: IntermediateCert2; Issued By: Root certificate
- Root certificate - Issued to and Issued By: Root certificate.
Resolution
To fix the issue, request the certificate vendor to provide the certificate with correct sequence. It can also be fixed by modifying the certificate using openssl.
- Get the Certificate in a .PFX file format
- Convert .PFX file to a .PEM file format and make a copy for safekeeping.
- Open the .Pem file in a text editor.
- Move certificates in correct sequence as mentioned above.
- Import the .PEM combined file to firewall with private key.
openssl pkcs12 -in cert.pfx -out file.nokey.pem -nokeys
openssl pkcs12 -in cert.pfx -out file.withkey.pem
openssl rsa -in file.withkey.pem -out file.key
cat file.nokey.pem file.key > file.combo.pem
Note:
- Here the file.combo.pem is the certificate with the private key in it and the sequence should be correct as well. The file can be easily opened in a text editor to validate.
- Import the .pem file directly to NGFW and select the import the private key checkbox.
- Do not select a file as the key is already in the .pem file. Provide the passphrase and import.
- Now, the certificate should not cause any errors during the commit process.
Additional Information
This is not an issue with the Palo Alto Firewall, but the problem with the certificate itself.