Importing a Comodo certificate results in a error.

Hey all,

I'm trying to import a Third Party SSL certificate into my Zywall 110 to protect it.
I can make the request, I can issue it to my provider and I get back the issued certficate. The certificate is a ssl-domain.cer file.
However when I import it into my Zyxel I get the following error:
Validation Result=incomplete path

Anyone knows the solution to get this to work?

Thanks for the help,

Stefan

All Replies

  • zyman2008
    zyman2008 Posts: 167
    25 Answers First Comment Friend Collector Fifth Anniversary
     Master Member
    You need to use text editor to copy each section of root/intermediate certificate as an individual file.
    -----BEGIN CERTIFICATE-----
    ......
    -----END CERTIFICATE-----

    Then import root CA, intermediate CA into trusted certificate on device GUI.

  • StefanA_VV
    StefanA_VV Posts: 2
    zyman2008 said:
    You need to use text editor to copy each section of root/intermediate certificate as an individual file.
    -----BEGIN CERTIFICATE-----
    ......
    -----END CERTIFICATE-----

    Then import root CA, intermediate CA into trusted certificate on device GUI.

    Can you give me some extra explanation?
    I received 3 files for the provider:
    - Sectigo_RSA_Domain_Validation_Secure_Server_CA.crt
    - ssl_domain.cer   (changed my own domain to domain as example)
    - USERTrust_RSA_Certification_Authority.crt

    Do I need to copy all the content ( begin to end certificate ) in all 3 files into 1 file ( ssl_domein.cer) and import this one?

    I allready tried that as a pem file but the I get an error again that it cannot be imported.

    Thanks for the help on this topic.
  • tonygibbs16
    tonygibbs16 Posts: 496
    25 Answers First Comment Friend Collector Second Anniversary
     Master Member
    edited May 2021

    Looking at section 43.12 of the user guide available at https://download.zyxel.com/ZyWALL_110/user_guide/ZyWALL%20110_V4.60_Ed1.pdf and thinking about whar I have done recently, I have the following thoughts:

    You mention 3 files
    "Can you give me some extra explanation?
    I received 3 files for the provider:
    - Sectigo_RSA_Domain_Validation_Secure_Server_CA.crt
    - ssl_domain.cer   (changed my own domain to domain as example)
    - USERTrust_RSA_Certification_Authority.crt"

    Looking at the Comodo webpage at https://comodosslstore.com/resources/cer-vs-crt-the-technical-difference-how-to-convert-them/ I see a good explanation of the different file formats.
           - the .crt files might be what you need to use as the Root CA and Intermediate CA certificates, but I do not know if the Zywall 110 can read them.
           - the .cer probably needs converting also.

    I think that to give your Zywall 110 the certificate with the private and public key, that you need a file in one of the formats listed in figure 645 of the user guide, and I think probably as a PEM file.

    You probably also need the Intermediate CA certificate that was used to sign your domain certificate, and the root CA certificate that is used to sign the Intermediate CA certificate.
         - Comodo say at https://help.comodosslstore.com/support/solutions/articles/22000218266-comodo-ca-bundle- that they can provide a bundle of files that will help you to have the Root CA certificate and Intermediate CA certificate that are needed to validate your domain certificate.

    I think that it would worth asking Comodo and say that you are trying to install the domain certificate into a Zyxel 110 firewall and that you need the complete chain of certificates.

    I hope that they are able to help you, and that this is helpful.

    KInd regards, Tony

    PS: last year I had to install a wildcard domain certificate onto a Windows Server host, and I needed the private and public key with the certificate in a .pem file in order to install it.
               - and I think that I was given the Intermediate CA and Root CA files I needed with it.










  • tonygibbs16
    tonygibbs16 Posts: 496
    25 Answers First Comment Friend Collector Second Anniversary
     Master Member
    edited May 2021

    The information at https://www.ssl.com/guide/pem-der-crt-and-cer-x-509-encodings-and-conversions/ could also help you know if the files you have are Base-64 encoded ASCII files or DER binary files.
         - if you can read BEGIN CERTIFICATE and END CERTIFICATE using a text editor, then a file is an ASCII file probably with Base-64 encoded information in it.

    The SSL.com web page explains how to use OpenSSL to convert between formats and how to read the files.

    However, I think that you should ask Comodo for help.

    Kind regards,
           Tony

  • zyman2008
    zyman2008 Posts: 167
    25 Answers First Comment Friend Collector Fifth Anniversary
     Master Member
    ZyWALL support import Root/Intermediate certificate CA with base64 or DER binary format.
    So first, import "USERTrust_RSA_Certification_Authority.crt" to Trusted Certificates store.
    Then, import "Sectigo_RSA_Domain_Validation_Secure_Server_CA.crt" to Trusted Certificates store.


    I think the issue is, ZyWALL only support import certificate/key pair which format is PKCS#12.
    I'm not sure what's the format of your "ssl_domain.cer". 
    You can check with your Third Party CA how to convert it into PKCS#12 format.
  • CHS
    CHS Posts: 158
    First Answer First Comment Friend Collector Fifth Anniversary
     Master Member
    You may have a try by 3rd-party software "XCA" to manage your certificates.
    (https://hohnstaedt.de/xca/index.php/download)

    (1) The software have to generate a database during launch it in first time.
    (2 )And then you can pull(Import) all of certificates in "Certificates".
    (3) Comodo should also provided the private key to you.
    (4) After confirmed SSL certificate with private key, then you can export it from software. The certificate format must be *.p12
    (5) Then you should able import SSL certificate into "My Certificate" of ZyWALL110.

  • tonygibbs16
    tonygibbs16 Posts: 496
    25 Answers First Comment Friend Collector Second Anniversary
     Master Member
    edited May 2021

    If there is a domain certificate with a public-private key pair in it, then it seems like Zywall 110 should be able to import it in PEM or PKCS#12 format.

    I do not think that Comodo should have / will have generated the private key, because the intention of PKI is that no one else has the private key, it is kept private, but that it is then paired up with a public key that can be made public.
         - A CA like Comodo can be given a certificate signing request (CSR) that is signed with private key, but are not given the private key. see https://en.wikipedia.org/wiki/Certificate_signing_request 

    The Zywall 110 can generate a private key and a certification request (CSR) by following section 43.12.3.1 of the Zywall 110 user guide.
          - StefanA_VV , if you did not generate a private key and certificate request (CSR) using your Zywall 110, then you probably need to do that and then get another domain certificate from Comodo using the certificate request from the Zywall 110 that has a public key in it that matches the private key generated, and that is signed by the private key.
                        - section 42.12.3.2 of the Zywall 110 user guide explains how to copy out the certificate request (CSR) in PEM Base 64 format, so that it can be sent to a CA like Comodo to produce a domain certificate.

    Once you have the domain certificate back from Comodo, then the private key can be added to the domain certificate file to make either a PEM or a Binary PKCS#12 file.
         - using a tool like OpenSSL to do it.
                - SSL.com explain how to do that.

    XCA might be helpful in converting certificates, but I feel that it would also need to have the public-private key pair in order to produce what StefanA_VV needs to import into his Zywall 110.

    Then with the ca-bundle of Root CA certificate and Intermediate CA certificate and the domain certificate can all be imported in to the Zywall 110 and it applied so that clients can validate the Zywall 110.

    I hope that this is helpful. It does not look easy.

    Kind regards,
        Tony

Security Highlight