Trouble installing the CA Bundle in my Duo Access Gateway


I’m having trouble getting the CA Bundle installed in my Duo Access Gateway.

I have the root certificate installed just fine, but when I try to install the bundle, it requires a corresponding private key.

All browsers but Firefox seem accept just the root certificate.

The instructions are to install the Certificate Bundle in the DAG so that all the intermediate certs are in there also.

Has anyone had this issue?



Hey @Gary,

Are you using the Windows or Linux Duo Access Gateway?

If using the Linux Duo Access Gateway you should be able to create a certificate file that in order (top to bottom) has the:

  • Issuing Certificate
  • Intermediate Certificates
  • Root Certificate

You should be able to then upload this and the private key as a separate file.

If using the Windows Duo Access Gateway you may need to contact the company you purchased your SSL certificate from to get them to provide it in the proper format. You could also try convert the PEM files into the proper PFX format by using OpenSSL

Let me know if you have any questions and thanks for being a Duo customer!

– Jamie


Hi Jamie, I ended up getting an FQDN cert for the DAG and I need to generate a CSR for it - how can I generate a CSR for the DAG?


I was able to generate the CSR for the new fqdn cert and I now have it. I’m back to the dreaded “Private key must match uploaded certificate.” Error when attempting to install to the DAG.

I’m importing the CA Bundle and the SSL Cert’s associated private key, do you know why I keep getting this error?