How To Identify if the Firewall is Blocking Websites Due To Expired CA Certificates.
20004
Created On 06/02/20 17:16 PM - Last Modified 08/28/20 22:34 PM
Objective
How can we confirm whether the certificate used by website has expired root CA or not.
Customers using SSL decryption profile with decryption profile set to "Block sessions with expired certificates". It is expected to see error like below when user is trying to access a website that is providing expired root CA during SSL handshake.
Environment
- Website(s) are using expired root certificate(s).
- SSL Decryption is enabled on the Palo Alto Networks NGFW
- "Block sessions with expired certificates" is checked on the Decryption profile.
Procedure
- Find a system that can access the website(any system bypassing the SSL decryption).
- Open wireshark or any other tool to capture traffic and set the filter to SSL or tls.handshake.type==11 ( This will only show the certificate sent by the server)
- Access the website on any browser.
- Stop the traffic capture.
- Open Transport Layer security field and look for Handshake Protocol : Certificate.
- Confirm the CN is the website you were accessing.
- Look for intermediate and root certificate used by the website.
- Open "Signed certificate" field.
- Open "Validity" option and look under "Not after".
- Confirm the date listed by the root CA.
- If the date listed is beyond today's date then cert is expired.
For example:
Additional Information
NOTE:
Since the expired certificate is provided by the Web-server, the Web-server admin will need to update the Intermediate and Root CA.