Error when importing a certificate: public-key is invalid, node length too long

Error when importing a certificate: public-key is invalid, node length too long

12258
Created On 04/28/21 00:01 AM - Last Modified 06/22/22 22:11 PM


Symptom


 Validation error during commit after importing a new certificate in PKCS #12 format: 
Validation Error:
  devices -> certificate -> cert-name -> public-key Node can be at most 16384 characters, but current length: 44558
  devices -> certificate -> cert-name -> public-key is invalid

Environment


  • Palo Alto Networks firewall or Panorama
  • PAN-OS 8.1 and above
  • PKCS #12 certificate in .p12 format

Cause


  • PAN-OS limits the size of the imported PKCS #12 certificate to 16,384 characters
  • This limit is most commonly encountered when the imported certificate contains an entire chain of certificates
  • The chain of certificates might include multiple intermediate CAs which lengthen the .p12 file unnecessarily

Resolution


 Shorten the certificate before importing it. For a .p12 file, this involves first converting it to PEM format, then inspecting the PEM file in a text editor to shorten it as needed. This procedure must be performed on a system capable of running OpenSSL (not the firewall or Panorama):

1. Convert the .p12 certificate to .pem using OpenSSL:
openssl pkcs12 -in original_file.p12 -out crt.pem -clcerts -nokeys
2. Convert the .p12 key to .pem using OpenSSL:
openssl pkcs12 -in original_file.p12 -out key.pem -nocerts -nodes
3. Edit the CRT.pem in a text editor to remove any unnecessary chained certificates. In the example below, a certificate file has been modified to omit everything (represented by the strikethrough text) except the server certificate which needs to be imported to the firewall:
subject=/CN=SERVER-CERT
issuer=/CN=INTERMEDIATE-CERT
-----BEGIN CERTIFICATE-----
MIIJOzCCCCOgAwIBAgIQA/WD/BYooZ+/glRf6LwVYjANBgkqhkiG9w0BAQsFADB1
-----END CERTIFICATE-----

subject=/CN=INTERMEDIATE-CERT
issuer=/CN=ROOT-CA-CERT
-----BEGIN CERTIFICATE-----
MIIEtjCCA56gAwIBAgIQDHmpRLCMEZUgkmFf4msdgzANBgkqhkiG9w0BAQsFADBs
-----END CERTIFICATE-----

subject=/CN=ROOT-CA-CERT
issuer=/CN=ROOT-CA-CERT
-----BEGIN CERTIFICATE-----
MIIEtjCCA56gAwIBAgIQDHmpRLCMEZUgkmFf4msdgzANBgkqhkiG9w0BAQsFADBs
-----END CERTIFICATE-----
4. Combine the CRT.pem and key.pem into a single PFX file which will be imported to PAN-OS: 
openssl pkcs12 -inkey key.pem -in crt.pem -export -out cert_and_key.pfx

The new cert_and_key.pfx can be imported into Panorama or the Firewall using the same procedure that initially generated the validation error
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oM2sCAE&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail