CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 4 of 4

Thread: "Bad certificate chain in response" while complete a cert-request

  1. #1
    Join Date
    2009-03-16
    Posts
    1
    Rep Power
    0

    Default "Bad certificate chain in response" while complete a cert-request

    Hi,

    I want to complete the installation of a 3rd party SSL-certificate, but the installation of the cert from the CA failed with "Bad certificate chain in response"

    System: UTM-1 Version: NGX (R65) HFA_25 (Hotfix 603)

    I started with importing the CA-root-certificate as a OPSEC PKI CA-certificate and Add a new certificate in VPN section, selecting the new CA-cert as the root.

    The request was fine and the CA sign the request normally.

    But trying to install the certificate failed.

    Any ideas??

    Cheers
    Christian

  2. #2
    Join Date
    2008-09-27
    Posts
    5
    Rep Power
    0

    Default Re: "Bad certificate chain in response" while complete a cert-request

    Well, working with R75 and Microsoft Windows 2008 CA had the same problem... small investingation in google and secure knoledge didn't came up with more information.

    After starting debug on the managment ( fw debug fwm on TD_ERROR_ALL_ALL=5) and investigating the fw management log manage to locate the problem and it's all about time zone problem between the CA and the managment server. The message "Bad certificate chain in the response" doesnt suite the problem at all. in the debug log you can see the exact message which in my case was "The certificate is not valid yet".

    Good Luck!!

    Itzik Sharon,
    Security Expert
    itzik@seclogic.com

  3. #3
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,251
    Rep Power
    14

    Default Re: "Bad certificate chain in response" while complete a cert-request

    I've seen this exact issue during one of the CCSE R75 labs that involves enrolling Microsoft certificates for a site-to-site VPN. Check your system time and date on both your SmartCenter Server and Microsoft server, they are likely off by a fair amount.

  4. #4
    Join Date
    2013-10-09
    Posts
    1
    Rep Power
    0

    Default Re: "Bad certificate chain in response" while complete a cert-request

    Please also check the algorithm used by the certificate except the date time. Some old security management server support SHA-1 certificate only, if you use SHA-256 certificate, you will got the same error.

    You will find the error message below in the debug output.

    fw_VerifySigned: unsupported algorithm
    fwCert_ValCerts: Certificate is badly signed.
    DoFinishEnrollmentByResponseChain: failed to validate chain path / signature. Certificate is badly signed.
    fwm_set_pki_host_cert: FinishEnrollmentByResponseChain returned with error ='Bad certificate chain in the response.'

Similar Threads

  1. FireWall allows remote "get topology" request
    By jeetu_chaudhari in forum Authentication
    Replies: 6
    Last Post: 2014-07-02, 05:12
  2. "Active Attention" and mismatched "Required interfaces"
    By SteveL in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 5
    Last Post: 2012-08-21, 15:47
  3. What is purpose of "edges" in "Objects" on a network object?
    By RayPesek in forum Security Management Server (Formerly SmartCenter Server ((Formerly Management Server))
    Replies: 2
    Last Post: 2009-02-05, 12:55
  4. Replies: 0
    Last Post: 2008-02-22, 03:31
  5. HTTP Error Message "message_info: CONNECT command found in HTTP request"
    By Barry J. Stiefel in forum Content Security/Security Servers/CVP/UFP
    Replies: 3
    Last Post: 2006-11-28, 13:14

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •