Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9316
Views
18
Helpful
7
Replies

ESA - Validation Error : Certificates signature verification failed

Go to solution
LukasPlescher
Level 1
Level 1

‎08-21-2022 11:40 PM

While trying to renew our TLS Certificate we always receive the following error message when trying to submit it:

Validation Error : Certificates signature verification failed

We uploaded a PFX (PKCS#12) certificate which contains the certificate chain and the private key.

The certificate should be "globally recognized" since it was issued by SwissSign.

10 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
UdupiKrishna
Cisco Employee
Cisco Employee

‎08-22-2022 07:10 PM

If you are on 14.2, there were new changes implemented surrounding how ESA trust/verifies a certificate that is attempted to be added. I suspect that either the root or intermediate certificate which is the issuer of this signed cert is not on ESA trusted CA store.

If they are not present, gather the copy of these certs in .pem format. Upload them as custom CA certificate, attempt the upload again

View solution in original post

7 Replies 7

Go to solution
UdupiKrishna
Cisco Employee
Cisco Employee

‎08-22-2022 07:10 PM

If you are on 14.2, there were new changes implemented surrounding how ESA trust/verifies a certificate that is attempted to be added. I suspect that either the root or intermediate certificate which is the issuer of this signed cert is not on ESA trusted CA store.

If they are not present, gather the copy of these certs in .pem format. Upload them as custom CA certificate, attempt the upload again

Go to solution
AdokshijaReddyBorrelli17499
Level 1
Level 1
In response to UdupiKrishna

‎01-11-2023 03:16 AM

Hello UdupiKrishna,

After import the certificate in .pfx format it is again asking to Upload Signed Certificate: and which signed certificate do we need to upload is CA certificate or server certificate which needs to be uploaded here. I have tried both got the error like Certificates signature verification failed when i select the SERVER Certificate and "The certificate and key do not match" when i select CA certificate. 

Kindly help us in resolving this issue.

0 Helpful

Go to solution
civas
Level 1
Level 1
In response to UdupiKrishna

‎01-12-2023 03:10 AM

same issue, how can we upload a custom ca certificate in pem format, we only see the import for p12

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to civas

‎01-12-2023 08:49 AM

To add a custom CA cert, in the GUI go to Network/Certificates.
In the middle of the page, there's a section for "Certificate Authorities". On the right end, click on Edit Settings and enable the Custom List, then submit, commit.
Certs are just special encrypted text... so you can take this file and from the page where you enabled the Custom List, you can import your one CA file.

If you need to ADD more than one, just take the text of each cert, and put them in a text file together so it looks like below, and import it as one file with all of the CA certs in it:

-----BEGIN CERTIFICATE-----
MIIHqTCCBZGdfafdagAwIBAgIQY.....
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIHqTCCdfa1dfaBZGgAwIBAgIQY.....
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIHqTCCBZGadfadfgAwIBAgIQY.....
-----END CERTIFICATE-----


Etc...


Go to solution
civas
Level 1
Level 1
In response to Ken Stieers

‎01-13-2023 01:39 AM

once uploaded the ca we were able to install the certificate. thanks

0 Helpful

Go to solution
AdokshijaReddyBorrelli17499
Level 1
Level 1
In response to Ken Stieers

‎01-13-2023 02:23 AM

Thanks Ken, Now issue is resolved and i am able to upload the new certificates.

0 Helpful

Go to solution
IM Support OGCIO
Level 1
Level 1

‎04-15-2024 12:04 AM

I have the same problem that p12 can import to v14.0 without issue but fail importing to v14.2.  The cert's CA is already listed in ESA and this cert is signed by Intermediate Certificate which I cannot import to ESA (said duplicated).

0 Helpful
Customers Also Viewed These Support Documents