GlobalProtect App in Tunnel and Proxy Mode fails to download PAC file due to the 'INVALID CA' error

• Configuring the Tunnel and Proxy mode as described in GlobalProtect in Tunnel and Proxy Mode.
• GP App fails to download a PAC file due to the 'INVALID CA' error.
• The logs below can be found in the GlobalProtect Client Logs

(P3648-T7676)Debug( 64): 11/16/23 12:53:40:486 PanHttp: GET https://store.swg.prismaaccess.com/pac/rnzadmnnz/xxxxxxxxxxxxx.pac
(P3648-T7676)Debug( 125): 11/16/23 12:53:40:486 PanHttp: http server=store.swg.prismaaccess.com, port=443
...
(P3648-T7676)Debug( 329): 11/16/23 12:53:40:486 PanHttp:SendWinHttpRequest enter
(P3648-T7676)Debug( 349): 11/16/23 12:53:40:486 PanHttp: First try to send without client cert
(P3648-T6800)Warn (1056): 11/16/23 12:53:40:517 PanHttp: CertError: INVALID_CA 
(P3648-T6800)Debug(1146): 11/16/23 12:53:40:517 PanHttp: WINHTTP_CALLBACK_STATUS_REQUEST_ERROR, result=5, error=12175 (ERROR_WINHTTP_SECURE_FAILURE), m_dwServerCertError=8
(P3648-T7676)Debug( 376): 11/16/23 12:53:40:517 PanHttp:SendWinHttpRequest request error
(P3648-T7676)Error( 104): 11/16/23 12:53:40:517 PanHttp: Failed to send http request, error: failed to send request

(P3648-T7676)debug11/16/23 12:53:39:362 (369): TASK: Download Pac file start: https://store.swg.prismaaccess.com/pac/rnzadmnnz/xxxxxxxxxxxxx.pac
(P3648-T7676)error11/16/23 12:53:39:484 (398): pac file download failed for https://store.swg.prismaaccess.com/pac/rnzadmnnz/xxxxxxxxxxxxx.pac
(P3648-T7676)criti11/16/23 12:53:39:484 (420): Didn't download any pac file 

• Prisma Access
• PANOS-10.2.4
• GlobalProtect (in Tunnel and Proxy Mode)
• SSL decryption for the proxy PAC URL is performed on MU or the on-premise firewall using the self-signed intermediate certificate.

• For certification chain verification, GP App needs all the certificates in the certificate chain to be imported into the client's Trust CA cert store. 
• Most web browsers complete the certification chain verification with only the intermediate certificate.

1. Install all of the certificates in the certificate chain into the user's Trust CA cert store on the client machine.
2. This is explained in the following example
   • The following certificate chain, SSL decryption is performed with the intermediate CA cert, 'PAN-Decrypt_Trust'.
   • Install both 'PAN-Decrypt_CA' and 'PAN-Decrypt_Trust' into the user's Trust CA cert store so the GP App can verify the certificate chain successfully.