CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.

First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E


Results 1 to 4 of 4

Thread: "Bad certificate chain in response" while complete a cert-request

  1. #1
    Join Date
    Rep Power

    Default "Bad certificate chain in response" while complete a cert-request


    I want to complete the installation of a 3rd party SSL-certificate, but the installation of the cert from the CA failed with "Bad certificate chain in response"

    System: UTM-1 Version: NGX (R65) HFA_25 (Hotfix 603)

    I started with importing the CA-root-certificate as a OPSEC PKI CA-certificate and Add a new certificate in VPN section, selecting the new CA-cert as the root.

    The request was fine and the CA sign the request normally.

    But trying to install the certificate failed.

    Any ideas??


  2. #2
    Join Date
    Rep Power

    Default Re: "Bad certificate chain in response" while complete a cert-request

    Well, working with R75 and Microsoft Windows 2008 CA had the same problem... small investingation in google and secure knoledge didn't came up with more information.

    After starting debug on the managment ( fw debug fwm on TD_ERROR_ALL_ALL=5) and investigating the fw management log manage to locate the problem and it's all about time zone problem between the CA and the managment server. The message "Bad certificate chain in the response" doesnt suite the problem at all. in the debug log you can see the exact message which in my case was "The certificate is not valid yet".

    Good Luck!!

    Itzik Sharon,
    Security Expert

  3. #3
    Join Date
    Colorado, USA
    Rep Power

    Default Re: "Bad certificate chain in response" while complete a cert-request

    I've seen this exact issue during one of the CCSE R75 labs that involves enrolling Microsoft certificates for a site-to-site VPN. Check your system time and date on both your SmartCenter Server and Microsoft server, they are likely off by a fair amount.

  4. #4
    Join Date
    Rep Power

    Default Re: "Bad certificate chain in response" while complete a cert-request

    Please also check the algorithm used by the certificate except the date time. Some old security management server support SHA-1 certificate only, if you use SHA-256 certificate, you will got the same error.

    You will find the error message below in the debug output.

    fw_VerifySigned: unsupported algorithm
    fwCert_ValCerts: Certificate is badly signed.
    DoFinishEnrollmentByResponseChain: failed to validate chain path / signature. Certificate is badly signed.
    fwm_set_pki_host_cert: FinishEnrollmentByResponseChain returned with error ='Bad certificate chain in the response.'

Similar Threads

  1. FireWall allows remote "get topology" request
    By jeetu_chaudhari in forum Authentication
    Replies: 6
    Last Post: 2014-07-02, 05:12
  2. "Active Attention" and mismatched "Required interfaces"
    By SteveL in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 5
    Last Post: 2012-08-21, 15:47
  3. What is purpose of "edges" in "Objects" on a network object?
    By RayPesek in forum Security Management Server (Formerly SmartCenter Server ((Formerly Management Server))
    Replies: 2
    Last Post: 2009-02-05, 12:55
  4. Replies: 0
    Last Post: 2008-02-22, 03:31
  5. HTTP Error Message "message_info: CONNECT command found in HTTP request"
    By Barry J. Stiefel in forum Content Security/Security Servers/CVP/UFP
    Replies: 3
    Last Post: 2006-11-28, 13:14

Tags for this Thread


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts