How To Identify if the Firewall is Blocking Websites Due To Expired CA Certificates.

How To Identify if the Firewall is Blocking Websites Due To Expired CA Certificates.

9566
Created On 06/02/20 17:16 PM - Last Modified 08/28/20 22:34 PM


Objective
How can we confirm whether the certificate used by website has expired root CA or not.

Customers using SSL decryption profile with decryption profile set to "Block sessions with expired certificates". It is expected to see error like below when user is trying to access a website that is providing expired root CA during SSL handshake.
 
User-added image


Environment
  • Website(s) are using expired root certificate(s).
  • SSL Decryption is enabled on the Palo Alto Networks NGFW
  • "Block sessions with expired certificates" is checked on the Decryption profile.


Procedure
  1. Find a system that can access the website(any system bypassing the SSL decryption).
  2. Open wireshark or any other tool to capture traffic and set the filter to SSL or tls.handshake.type==11 ( This will only show the certificate sent by the server)
  3. Access the website on any browser.
  4. Stop the traffic capture.
  5. Open Transport Layer security field and look for Handshake Protocol : Certificate.
  6. Confirm the CN is the website you were accessing.
  7. Look for intermediate and root certificate used by the website.
  8. Open "Signed certificate" field.
  9. Open "Validity" option and look under "Not after".
  10. Confirm the date listed by the root CA.
  11. If the date listed is beyond today's date then cert is expired. 

For example:
User-added image


Additional Information
NOTE:
Since the expired certificate is provided by the Web-server, the Web-server admin will need to update the Intermediate and Root CA.

 


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008UGi&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments