So, this is a topic that has hit me a couple of times, mostly because it’s just not something you do very often. With my brand new PA-440 firewall, I wanted to install certificates that are signed by my internal network certificate authority. It makes it much cleaner when connecting so I don’t get any of those annoying “This is not a trusted connection” messages.
In my environment, I have an offline Root Certificate Authority that I only use to sign the CA certificate for my Intermediate Certificate Authorities. It has been added to my “Trusted Root Certificate Authorities” Certificate Store on all of my systems. I’ve then added the certificate for my Online Intermediate Certificate Authority that signs and issues all of my device certificates. That certificate is added to the “Trusted Intermediate Certificate Authorities” Certificate Store.
Here’s roughly how it goes down for me EVERY. SINGLE. TIME:
I go to the Device Settings, click on Certificates, and then select “Add” to add my Root CA certificate to the firewall. I fill in the details as shown here, giving it a meaningful name browse to the Base64 Encoded Certificate file that I have stored. Once set, I click “Ok” to add the certificate.
This works great! The certificate adds to the store just fine:
When I go ahead and “Import” the Intermediate Certificate Authority certificate, I also get a nice success message that shows the import was successful:
I always think I’m in the clear because it nests the Intermediate CA certificate under the Root CA certificate–just as you’d expect. So, I go through the process to generate a new certificate for the firewall and configure it to be signed by an External Authority (aka, my Intermediate CA). It generates the Certificate Signing Request (CSR) just fine, and I’m able to create the new certificate.
However (and this is where the frustration and hair pulling starts to arrive) when I go to import the new certificate, I get the very “Ambiguous” error, “The certificate authority chain cannot be found”…EVERY…SINGLE…TIME.
So I start checking EVERYTHING again. Yes, my CA certificates are marked as CAs. Yes, they are marked as “Trusted Root Certificate Authorities”. STILL NO JOY! Off to the Googles I go.
I find your standard assortment of documentation entries and YouTube videos showing how it “should” work. I make sure I’m doing the same thing they are, but it still doesn’t work.
Then after about a month of off and on troubleshooting and Google Searches, I manage to put in the right combination of query terms and get pointed to this KnowledgeBase Entry:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLs7CAG
As I read through the entry, I notice the following conditions for cause:
- Root CA certificate name contains spaces, and/or
- Intermediate Root CA certificate name contains spaces
Did you happen to see what I named my CA certificates??? THAT’S RIGHT!!!
- Darkhonor Root CA
- Darkhonor CA-1
So, I go delete the two certificates and re-import them without spaces in their names as such:
- dcaroot
- dca-intermediate
I re-import the certificate that I created earlier and sure enough it works right away.
It’s frustrating, because the 4-5 times I’ve done this over the past 5 years whenever I’ve been able to be part of the initial configuration team, I run across this same self-inflicted problem. So, here I am, sharing my pain and frustration with you, so that hopefully you will be able to get your certificate chains setup right the first time.
Please share and comment if this was helpful for you.