Commit from Prisma Access cloud manager fails with generic error after importing a certificate with private key to cloud manager.
2264
Created On 04/24/23 05:19 AM - Last Modified 10/05/23 23:09 PM
Symptom
- Prisma Access admin imports a certificate along with private key to Cloud manager and enables Forward Trust Certificate for that certificate.
- The certificate is imported in PEM format.
- Now, the Prisma Access commits fails with the error "The Prisma Access infrastructure team is looking into the commit issue. Go to the Prisma Access Dashboard for real-time status information"
- Disabling the Forward Trust Certificate on this new certificate and deleting it fixes the commit failure issue.
Environment
- Prisma Access Cloud managed
- Certificate management
Note: This issue is not application to Prisma Access managed by panorama.
Cause
- The cloud manager has Block Export of Private Keys option enabled by default and it cannot be changed.
- This causes the certificate pushed to the Prisma Access SPN (either Mobile user or remote networks) to go without private key
- Commit fails because no private keys are found.
Resolution
- Download the certificate to the client machine.
- Convert the certificate to PKCS12 format.
- Import the certificate in this format which will contain the private key and enable the Forward Trust Certificate.
- Push the changes to Prisma Access
- Now the commit will be successful.
Note: This does Not alter the intended functionality of the certificate being imported. The only change is the certificate format.
Additional Information
OpenSSL commands can be used to convert the certificates to any desired format.
Example guide from a certificate authority vendor.