Palo Alto Networks Knowledgebase: DigiCert High Assurance EV Root CA Intermediate Certificate

DigiCert High Assurance EV Root CA Intermediate Certificate

Created On 09/25/18 19:49 PM - Last Updated 02/08/19 00:04 AM


When decryption is enabled on the Palo Alto Networks firewall, the end user might be presented with a forward untrust certificate from the Palo Alto Networks firewall. Normally, we'd expect to see the forward trust certificate for DigiCert High Assurance EV Root CA intermediate certificate used on the end server that is being accessed by the user.



Use the links  Test tool 1 and Test tool 2 to know if the intermediate DigiCert High Assurance EV Root CA is supported by your browser.  The Palo Alto Networks firewall should the forward trust certificate to the end user for these test tools.


Security Certificate Errors

DigiCert SSL certificates expiring after January 2011 are issued from a 2048 bit certificate path. The Root Certificate in this path is titled "DigiCert High Assurance EV Root CA" and is already trusted by all modern browsers (Internet Explorer, Firefox, Safari, Opera, Chrome, etc.)


To maintain widespread compatibility with older browsers and some mobile devices, DigiCert provides a Cross-Signed Intermediate Certificate which enables legacy devices to follow the intermediate certificate chain to the " Secure Server Certification Authority" Root Certificate. This Cross-Signed certificate appears in your Intermediate Certification Authorities certificates store in Windows. Its Subject is "DigiCert High Assurance EV Root CA" and its Issuer is " Secure Server Certification Authority."


  • Update the end user's browser.
  • Check if there is any difference between the intermediate DigiCert High Assurance EV Root CA presented by the server/website and the same certificate present in the Device > Certificate Management > Certificates > Default Trusted Certificate Authorities


  • Print
  • Copy Link

Choose Language