Get error importing Certificate "You must import the certificate for"

Hi
I can’t import my proxy certificate.
I get following error:

"You must import the certificate for <c=GB st=Greater Manchester l=Salford o=COMODO CA Limited cn=COMODO RSA Domain Validation Secure Server CA> before you can import this certificate. Note: Certificates must be imported in this order: root CA > intermediate CA(s) > leaf."

I have imported all root and intermediate certificates in to firebox that exist in the certificate chain. Still I get this error.
Can you please help me?
//marsk

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi KMS3,

    What type did you import them as? You'll generally need to do the root and intermediaries as OTHER.

    If you keep having an issue, I'd suggest opening a case with our support team so they can take a look at the certificate with you.

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • The easiest way to import is to use a PFX file that contains the private key. What method did you use? Do you have a PFX file with private key available?

    Gregg Hill

  • Thank you for your answers.
    Yes, I have imported the certificate in the right order root -> intermediate.
    Yes, my certificate is a PFX file with private key
    All COMODO root and intermediate is imported by default in al Fireboxes.
    Can you pleas look in you Firebox if you can find the missing certificate mentioned in the error message?

    "You must import the certificate for <c=GB st=Greater Manchester l=Salford o=COMODO CA Limited cn=COMODO RSA Domain Validation Secure Server CA> before you can import this certificate. Note: Certificates must be imported in this order: root CA > intermediate CA(s) > leaf."

    //marsk

  • RalphRalph WatchGuard Representative

    Hello Marsk,

    Yes. That certificate is listed under Trusted CAs for Proxies. What does your chain look like.

  • Thanks
    Check this site and you can see the certificate: https://remote.elevation.se/
    //marsk

  • RalphRalph WatchGuard Representative

    Hello Marsk,

    Here's the full chain for this certificate. Make sure links 1 and 2 are present along side your webserver certificate when importing. 0,1 and 2 certificates are your responsibility. Client is responsible for having the issuer of link #2 in its CA store.

    0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=remote.elevation.se
    i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
    1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
    i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
    2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
    i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root

  • I also have the "c=GB st=Greater Manchester l=Salford o=COMODO CA Limited cn=COMODO RSA Domain Validation Secure Server CA" in my T35. I use a newer NameCheap cert (from March 2019) that used to be from Comodo and now is using from Sectigo, "c=GB st=Greater Manchester l=Salford o=Sectigo Limited cn=Sectigo RSA Domain Validation Secure Server CA" after importing the PFX file.

    Gregg Hill

Sign In to comment.