How to Prevent Access to Encrypted Websites Based on Certificate Authority
In some situations, you may want to restrict or prevent access to certain encrypted websites based on their Certificate Authority (CA). The CA itself may have been compromised so you want act immediately, or you no longer trust certificates issued by a particular CA.
You can control access manually on an individual client by deleting the certs in question from the list of browsers' Trusted Root CAs, but the manual process can be tedious and it's relatively easy to bypass these controls. Further, browsers such as Firefox use their own certificate repository, adding to the overall complexity of making sure all types of browsers are addressed.
As of PAN-OS v5.0.x, you can view the contents of the installed cert repository and disable Root CAs that are no longer trusted. This feature minimally requires PAN-OS v5.0.x and enabling SSL-Decryption. Refer to SSL Forward Proxy (Man in the Middle).
To view the list of certificates, go to Device > Certificate Management > Certificates:
To restrict access to all sites signed by a particular CA:
- Enable Forward Proxy. Refer to the Decryption Policies section in the Palo Alto Networks Administrator's Guide Release 5.0 (English).
- Though a single certificate can be used for both Forward Trust and Forward Untrust, creating a separate certificate specifically for Untrust (which must be generated as a CA) allows for easy differentiation of a valid certificate/trust error as the Palo Alto Networks device proxies the secure session:
- Verify the CA to be blocked, keeping in mind that doing so blocks access to all sites issued by this CA.
An easy way to verify the issuer of the cert is by using a browser to visit the site directly, without decryption and viewing the cert properties:
Note: This example shows a legitimate and trusted root CA which would typically never be disabled--the example's for demonstration purposes only.
In the example, the certificate was issued by DigiCert High Assurance CA-3, a subordinate CA. Intermediate CAs are not installed into the Palo Alto certificate repository, as presenting a complete/valid chain is typically the responsibility of the hosting server. The top-most CA within the Certificate Hierarchy would need to be disabled, in this example, GTE CyberTrust Global Root. At this point, the Common Name (CN) of the cert is known, though to ensure the correct CA is disabled, it is best to view the Root Certificate directly. Compare the serial number with that of the certificate installed on the Palo Alto Networks device, as multiple CAs with similar names may be installed. Using Firefox, highlight the Root CA directly and scroll through the list of Certificate Fields to view the serial number.
If using Internet Explorer or Chrome (which shares the Windows Certificate Repository), view the Certification Path of the issued cert, highlight the Root CA (View Certificate), then scroll through the Certificate Details for the serial number:
Go to Device > Certificate Management > Certificates, search for the CN of the cert, highlight, then export to compare against the cert exported directly via the website/browser:
Upon export, open the cert/view Certificate Details and compare the serial number with that of the site/browser exported CA:
After confirming a match of servial numbers, highlight the certificate and disable:
- Next, go to Objects > Security Profiles > Decryption Profile and create a decryption profile. Below is a simple example to block sessions with untrusted issuers. Click OK.
- Go to Policies > Security > Decryption and associate the Decryption Profile with the Decryption Policy:
- Commit the configuration.
- Certificates for various sites issued by the disabled CA may have been previously cached, resulting in users bypassing the new Decryption Profile altogether. Enter the command
> show system setting ssl-decrypt certificate-cache
If sites are bypassing the block policy, delete the cert cache via the CLI:
> debug dataplane reset ssl-decrypt certificate-cache
Clearing this cache deletes all cached certs, and requires accessing sites again to repopulate.
- Verify intended sites are blocked. An initial certificate error is displayed, followed by (upon continuing) a block page:
As mentioned in Step 2, viewing the certificate properties shows that the issuing cert is the 'Untrust' cert (if created), providing further validation that the session was intercepted and untrusted by the Palo Alto Networks device:
To roll back changes, go to Device > Certificate Management > Certificates, search for the CN of the disabled cert, re-enable, and commit the configuration.