Error Message: Certificate DST Root CA X3 expired - blocking SSL decryption

Error Message: Certificate DST Root CA X3 expired - blocking SSL decryption

5116
Created On 09/30/21 04:56 AM - Last Modified 11/02/21 02:11 AM


Symptom


SSL decryption failing due to "expired certificates"

Environment


  • PAN-OS.
  • SSL Decryption. 
  • SSL Forward Proxy.

Cause


The certificate Certificate DST Root CA X3 has expired and the SSL Decryption profile may block session with expired certificates.

Resolution


The server needs to send a new certificate chain without the expired certificate.

In the meantime, on the firewall, the decryption profile should be relaxed by unchecking the option "Block sessions with expired certificates" under GUI: Objects > Decryption > Decryption Profile > <profile used> (for 90 days).

Additional Information


Let's Encrypt Announcement
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

PAN-OS Admin Guide
Create a Decryption Profile

Customer Advisory
Decryption Errors created by the expired AddTrust External Root CA
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004LtBCAU&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language