Technical Tip: PKCS12/PFX Certificate uploaded does not include the full certificate chain

johnathan · ‎09-24-2024

Description

This article describes how to resolve a scenario where a PKCS12 / PFX Certificate uploaded does not include the full certificate chain.

Scope

FortiGate v7.x.x+

Solution

When uploading a .pfx or .p12 certificate bundle onto the firewall, it will not upload the full chain of certificates. This can cause issues if the full chain is required.
To mitigate this, use ‘openssl’ in Windows or Linux to extract these certificates and upload them manually onto the firewall.

The command to do this would be:

openssl pkcs12 -nokeys -info -in [cert.pfx/.p12] -passin pass:[password]

It was necessary to add the ‘-legacy’ flag as this particular cert is using a legacy encryption method.

The first certificate is generally the one already included on the firewall. If only seeing one cert, the intermediate certs were not included in this bundle.

The rest of the output will show all the included certificates in the bundle. Copy and paste these into new .cer files, then import them into the firewall as ‘CA certificates’.

ca cert.PNG

ca cert2_correct.PNG

The firewall will use these certs as a chain while presenting them to the client.

Technical Tip: PKCS12/PFX Certificate uploaded does not include the full certificate chain

You are leaving our website