cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
null
Level 8
Report Inappropriate Content
Message 1 of 7

Installing certificate chains in MWG - SSL Client Context with CA

Jump to solution

Greetings,

I am trying to install a signed certificate and associated chain on the MWG. I have the certificate file the key file and the intermediary certificate file.

As per the Product guide only the intermediary certificate is in the file I point to when uploading the certificate chain. All files are PEM format.

When I install them I get an error

"Verifying certificate chain failed: unable to find valid certification path to requested target
Chain for certificate "xxxxxx.com" has to start from certificate "Entrust Certification Authority - L1M" towards root certificate."

L1M is the intermediary certificate I am trying to install and was obtained from the vendor website.

I can verify the certificate and the intermediary using openssl verify -CAfile intermediary.file certificate file.

This is driving me nuts so any help would be appreciated.

1 Solution

Accepted Solutions
null
Level 8
Report Inappropriate Content
Message 6 of 7

Re: Installing certificate chains in MWG - SSL Client Context with CA

Jump to solution

Just  so a solution is captured  this is the outcome;

There seems to be a bug in uploading certificate chains when using extended validation (aka.  EV or Gold)  certificates  and this  has been passed to engineering to  investigate. The workaround is to manually copy and paste  the certificate chain contents into the certificate chain. In my case the copy and paste  failed and I had to delete and re-create the SSL context  without CA setting again, copy and paste the certificate chain and update rules accordingly.

View solution in original post

6 Replies
fw_mon
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 7

Re: Installing certificate chains in MWG - SSL Client Context with CA

Jump to solution

besides the chain issue, which cannot be troubleshooted here without you providing more details, keep in mind that if you use "SSL Client Context with CA" for the SSL Scanner, then only an internal CA/SubCA from your PKI or a self-signed CA can be used. Check this link for more details: https://community.mcafee.com/t5/Documents/Web-Gateway-Deploying-a-trusted-CA-to-your-Clients/ta-p/55...

MWG+Splunk=❤
null
Level 8
Report Inappropriate Content
Message 3 of 7

Re: Installing certificate chains in MWG - SSL Client Context with CA

Jump to solution

Thanks for the reply.

This specific instance is a reverse proxy and the CA is signed by an external Trusted CA. The root certificate is already included in both the McAfee subscribed lists and in the browser Trusted CA store.

As far as I can determine I should only need to load the intermediary certificate in the certificate chain to complete the chain. Installing the intermediary in the certificate chain is what is causing all the problems.

Please let me know what other details you would need to provide help in troubleshooting.

 

Thanks

fw_mon
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 7

Re: Installing certificate chains in MWG - SSL Client Context with CA

Jump to solution
null
Level 8
Report Inappropriate Content
Message 5 of 7

Re: Installing certificate chains in MWG - SSL Client Context with CA

Jump to solution

Thanks for the reply but with or without CA I still  get the same issue.

I logged  a call and support came back saying  that importing  certificates does not work due to a bug which they are trying to resolve.

They suggested that in the interim the certificate chain needs to be copied and pasted in manually as a workaround. This unfortunately resulted in a different error in my case but has resolved the issue in others.

Guess I will have to wait to see what the resolution is and then I will update this post.

Thanks to everyone who took the  time.

null
Level 8
Report Inappropriate Content
Message 6 of 7

Re: Installing certificate chains in MWG - SSL Client Context with CA

Jump to solution

Just  so a solution is captured  this is the outcome;

There seems to be a bug in uploading certificate chains when using extended validation (aka.  EV or Gold)  certificates  and this  has been passed to engineering to  investigate. The workaround is to manually copy and paste  the certificate chain contents into the certificate chain. In my case the copy and paste  failed and I had to delete and re-create the SSL context  without CA setting again, copy and paste the certificate chain and update rules accordingly.

luciangb
Level 9
Report Inappropriate Content
Message 7 of 7

Re: Installing certificate chains in MWG - SSL Client Context with CA

Jump to solution

Hello,

I had a somewhat similar issue when trying to import a server certificate for the "SSL Client Context without CA" - the WebGW's user interface issued an error when trying to perform "Save changes".

 After reading this article I opened the .pem file containing the server certificate (without key) in Notepad++ and noticed that the order of the certificates included there was: server certificate, Root CA certificate, Issuing Certification Authority certificate. I have cut the Issuing Certification Authority certificate section and pasted it in between the server certificate and the Root CA certificate sections.

After doing this it was possible to import it and Save changes successfuly.

Thank you !

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community