After generating the CSR, requesting the SSL certificate we have an error while uploading the SSL certificate in CA PAM.

Error message on the screen: error 20 at 0 depth lookup: unable to get local issuer certificate

SSL certificate is not valid: CN = <CN details> error 20 at 0 depth lookup: unable to get local issuer certificate

CA PAM all supported versions.

This can happen for a few reasons:

The certificate chain or certificate wasn’t provide by the other side or was self-signed.

The root certificate is not in the local database of trusted root certificates.

To resolve these verification errors, confirm that the client certificate and certificate authority certificate match, and ensure the certificates are included in the correct order.

One option is to download a CA certificate bundle, such as the cacert.pem file, which contains a collection of trusted root CA certificates. This bundle can be obtained from trusted sources.

The below steps can be followed to manually extract the required information.

1) Open the Final SSL certificate (Rght click the certificate and open)
2) In the Details Tab,make sure that all the CA PAM host name and IP address appear as given while creating the CSR
3) Click the Certification Path tab, in there the last most certificate is the certificate for uploading into CA PAM
4) Any other certificates that appear in the middle of the first and the last certificate are intermediate certificates
5) The top most certificate is the Root certificate
6) Download the Keyfile as well from CA PAM server where the CSR was generated.

If the import of the .pb7 (PKCS format) file in CA PAM fails due to any error message like the above, and also if extraction of the intermediate and root certificate if the .pb7 file is not possible on the Windows host due to some unforeseen reasons, then follow the below method to extract all the required information manually and create the bundle certificate. 

1) Open the provided SSL certificate
2) Go to the Certificate Path Tab
3) Select the first intermediate certificate
3.1) Go to the Details Tab and click on "Copy to File"
4) Select the radio button Base-64 encoded x.509 (.CER) and then click Next
4.1) When prompted for a file name, enter a value and file location that you will use to identify the certificate that you are exporting, and then click Next. (Give an appropriate name such as first_intermediate_certificate)
4.2) A summary window will appear. Click Finish
5) Repeat steps through until you have created .CER files for each certificate. Follow the steps 2 to 4.2 for all the intermediate certificates and the Root certificate (Eg, save the root certificate as Root_certificate)
6) Open the Root_certificate in notepad or any other text editor
7) Open the first_intermediate_certificate in notepad or any other text editor
7.1) Open all the intermediate certificates as well.
7.2) Copy the contents of the first_intermediate_certificate, below the Root_certificate file contents
7.3) Copy the contents of the other intermediate certificates below the first_intermediate certificate
7.4) Save the file after copying all the intermediate certificates in a single file and save it (Let's say Bundle_file)
8) Open the Final SSL certificate file with a text editor
9) Open the Keyfile with a text editor
10) Copy the contents of the KeyFile into the SSL certificate and save (Eg. Certificate_with_Key)

Note: Make sure the certificate file extention is .crt

Uploading the certificate into CA PAM

1) Login to CA PAM as the super user
2) Go to Settings-->Security-->Certificates
3) Select the upload tab
4) Select CA Bundles and select the Bundle_File and upload it
5) Next select Certificate with Private Key and upload the Certificate_with_Key file
5.1) Provide the Passphrase as required
6) Go to the Set tab
6.1) In the Filename drop down select the uploaded certficate file name if not appearing
7) Click on Verify to make sure the Certificate is good
8) Click on Accept to reboot the CA PAM server.

Note: Make sure the certificate file extention is .crt

The above steps can also be executed using command line provided OpenSSL is installed and working properly.

https://www.ssl.com/how-to/export-certificates-private-key-from-pkcs12-file-with-openssl/ (Note this is an external link outside of Broadcom)

https://chadstechnoworks.com/wptech/os/how_to_extract_root_and_intermediate_certificates_from_client_certificate.html (Note this is an external link outside of Broadcom)