Palo Alto Networks Knowledgebase: SSL Decryption for Some Site Shows as Not Trusted

SSL Decryption for Some Site Shows as Not Trusted

9739
Created On 08/05/19 19:56 PM - Last Updated 08/05/19 20:11 PM
Certificate Management
Resolution

Symptom

A Palo Alto Networks firewall has a list of trusted root Certificate Authorities (CAs), which the firewall uses to check the validity of an SSL site when doing decryption. When CAs change their root certificate, or begin signing server certificates using a new root certificate, the list must be updated.

 

Workaround

Manually install a new root CA, including the newer root CA from GoDaddy and other CA certificates:

  1. For GoDaddy, copy the following GoDaddy root CA (including the BEGIN and END lines) into a plain text editor such as Notepad, (do not use Wordpad, Word, or similar rich-text editors).
    -----BEGIN CERTIFICATE-----
    MIIDxTCCAq2gAwIBAgIBADANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
    EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
    EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
    ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAwMFoXDTM3MTIzMTIz
    NTk1OVowgYMxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
    EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjExMC8GA1UE
    AxMoR28gRGFkZHkgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjCCASIw
    DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9xYgjx+lk09xvJGKP3gElY6SKD
    E6bFIEMBO4Tx5oVJnyfq9oQbTqC023CYxzIBsQU+B07u9PpPL1kwIuerGVZr4oAH
    /PMWdYA5UXvl+TW2dE6pjYIT5LY/qQOD+qK+ihVqf94Lw7YZFAXK6sOoBJQ7Rnwy
    DfMAZiLIjWltNowRGLfTshxgtDj6AozO091GB94KPutdfMh8+7ArU6SSYmlRJQVh
    GkSBjCypQ5Yj36w6gZoOKcUcqeldHraenjAKOc7xiID7S13MMuyFYkMlNAJWJwGR
    tDtwKj9useiciAF9n9T521NtYJ2/LOdYq7hfRvzOxBsDPAnrSTFcaUaz4EcCAwEA
    AaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE
    FDqahQcQZyi27/a9BUFuIMGU2g/eMA0GCSqGSIb3DQEBCwUAA4IBAQCZ21151fmX
    WWcDYfF+OwYxdS2hII5PZYe096acvNjpL9DbWu7PdIxztDhC2gV7+AJ1uP2lsdeu
    9tfeE8tTEH6KRtGX+rcuKxGrkLAngPnon1rpN5+r5N9ss4UXnT3ZJE95kTXWXwTr
    gIOrmgIttRD02JDHBHNA7XIloKmf7J6raBKZV8aPEjoJpL1E/QYVN8Gb5DKj7Tjo
    2GTzLH4U/ALqn83/B2gX2yKQOC16jdFU8WnjXzPKej17CuPKf1855eJ1usV2GDPO
    LPAvTK33sefOT6jEm0pUBsV/fdUID+Ic/n4XuKxe9tQWskMJDE32p2u0mYRlynqI
    4uJEvlz36hz1
    -----END CERTIFICATE-----
  2. Save the file with a .txt, .cer, or .crt extension.
  3. Go to Device > Certificates and click Import:
    ImportCert.png
  4. Select the file saved from Step 2 and click OK.
  5. Click the name of the new certificate, select Trusted Root CA, and click OK.
    TrustedRoot.png
  6. Commit the changes.

 

Note: Currently, there is no code-level resolution to this issue. Palo Alto Networks is evaluating the best course of action for updating the list of trusted root CAs.

 

owner: gwesson



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClkUCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language