Error Message: Certificate DST Root CA X3 expired - blocking SSL decryption
5116
Created On 09/30/21 04:56 AM - Last Modified 11/02/21 02:11 AM
Symptom
SSL decryption failing due to "expired certificates"
Environment
- PAN-OS.
- SSL Decryption.
- SSL Forward Proxy.
Cause
The certificate Certificate DST Root CA X3 has expired and the SSL Decryption profile may block session with expired certificates.
Resolution
The server needs to send a new certificate chain without the expired certificate.
In the meantime, on the firewall, the decryption profile should be relaxed by unchecking the option "Block sessions with expired certificates" under GUI: Objects > Decryption > Decryption Profile > <profile used> (for 90 days).
Additional Information
Let's Encrypt Announcement
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
PAN-OS Admin Guide
Create a Decryption Profile
Customer Advisory
Decryption Errors created by the expired AddTrust External Root CA