EX SSL-VPN: What Does "The certificate chain is not complete" Indicate?
Description
Resolution
Problem statement
When importing a certificate signing request (CSR) response into an Aventail appliance, the following error may be seen:
The certificate chain is not complete.
Details
This error is typically seen when a Certificate authority (CA) does not provide a full certificate chain in the CSR response (a common practice). AMC will try to complete the certificate chain when you import the CSR response. If it is unable to do so, AMC displays this error message: “The certificate chain is not complete.” If this occurs, you must upload the CA’s root certificate and/or any intermediary public certificate(s) to the appliance. If you are acting as your own CA, you will probably need to perform this step manually.
To complete a certificate chain
Follow these instructions if you have version 8.8.x or later of the appliance:
- Obtain the trusted root certificate or intermediary public certificate from the CA. Most external commercial CAs provide the certificates on their Web sites; if the CA is run by your company, check with the server administrator.
- From the main navigation menu, click SSL Settings.
- On the SSL Settings page, click the Edit link under CA Certificates. The CA Certificates page appears.
- Click New.
- Upload the certificate:
- If the certificate is in binary format, click the Browse button and then upload the certificate reply from your local file system (that is, the computer from which you’ve logged in to AMC).
- If the certificate is in base-64 encoded (PEM) text format, select the Certificate text button and then paste the certificate into the text box. Be sure to include the BEGIN CERTIFICATE and END CERTIFICATE banners.
- Click Import to return to the CA Certificates page.
- To verify that the certificate was properly uploaded, go back to the CA Certificates page. The new certificate should be in the (alphabetical) list.