Decryption Issues on Chrome browser with this error : err_cert_weak_signature_algorithm
11061
Created On 04/06/20 19:26 PM - Last Modified 06/02/20 04:12 AM
Symptom
- Error below when trying to access the HTTPS websites
Environment
- Google Chrome browser
- Decryption enabled
- PAN-OS 8.0 and above.
Cause
- The SSL Root CA certificate that is used for issuing the decryption certificates (Forward Trust / Forward Untrust) is using a SHA1 as a Hashing Algorithm, which is considered as a weak algorithm by google chrome
Resolution
- Re-create the Root CA certificate with a stronger hashing algorithm like SHA-2 (i.e. SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256)
- If the Root CA certificate is generated locally on the firewall, you can follow the below steps.
- From the WebGUI, navigate to Device > Certificates.
- Click Generate at the bottom of the screen.
- Enter the desired details for the certificate just like the previous one for Certificate Name, Common Name. Make sure for Cryptographic settings, you have one of the SHA256/SHA384/SHA512 selected for the Digest.
- On the Generate Certificate window, click Generate.
- Then re-issue the Forward Trust and Untrust Certificates using the newly created Root CA Certificate.
- Please check this link for more details on decryption setup