Are cross-signed certificates supported for Server Certificate Verification?

Are cross-signed certificates supported for Server Certificate Verification?

4066
Created On 01/26/21 04:31 AM - Last Modified 07/17/24 21:34 PM


Question


  • SSL Forward Proxy configured on the Palo Alto Networks firewall (GUI: Policies > Decryption)
  • Decryption Profile configured (GUI: Objects > Decryption > Decryption Profile)
  • In the Decryption Profile, "Block sessions with expired certificates" is enabled.
  • Are the cross-signed server certificates issued to the https website supported in this case?
 
Decryption Profile

Environment


  • Palo Alto Firewall
  • Supported PAN-OS
  • Cross-signed certificates

Answer


Yes, The support for cross-signed certificates was added in the following versions of PAN-OS:
  • 10.0.0 or later
  • 9.1.3-h1 or later
  • 9.0.9-h1 or later
  • 8.1.15-h3 or later
Note:
  • In earlier versions of PAN-OS, if an https webpage presented a certificate chain with an expired root-ca, the SSL session would be blocked.
  • This would occur even if there was an unexpired cross-signed root certificate.
  • Refer LIVEcommunity post for additional information on the cross-signed certificate enhancements.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCc3CAG&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language