System logs report "Authentication server certificate verification failed" and Certificate signature failure decrypt error"

• Firewall authentication is configured via Radius external Server.
• The external signed certificate of Radius server is imported to the firewall. 
• System logs (show log system)  and authd logs (less mp-log authd.log) report authentication failure messages with errors.

   

  System Logs:

  08:37 medium   auth    radius  auth-fa  failed authentication for user 'XXXXX'.  Reason: Authentication server certificate verification failed. auth profile 'radius-auth', vsys 'shared', server profile 'admin-auth_ise', server address '10.X.X.X', auth protocol 'PEAP-MSCHAPv2', reply message 'certificate signature failure; decrypt error' From: 10.X.X.X.

  Auth logs:

  55:40.592 +0000 Error: EapolStatusCb(pan_auth_eapol.c:997): (AId:7084147726929100899) Certificate error (certificate signature failure)  55:40.592 +0000 Error: EapolStatusCb(pan_auth_eapol.c:997): (AId:7084147726929100899) Certificate error (decrypt error).

  
   

• Palo Alto Firewalls
• PAN-OS 8.1 and above
• Certificates

External signed certificate installed in the firewall (Root or Intermediate) has Public RSA key is greater than 8192 bits.

1. Ensure the external certificate installed on the firewall is not greater than 8192 bit RSA keys.
2. The firewall can authenticate certificates up to 8192-bit RSA keys from the destination server, however the PA firewall self-generated certificate to the client supports only up to 4096-bit RSA keys
3. In this example below, the Root certificate (checked on the server) has a RSA key of 16384 bits