Prisma Access - Users are getting "untrusted issuer" error when access websites through SSL decryption
9811
Created On 04/03/23 00:26 AM - Last Modified 09/25/24 22:30 PM
Symptom
- The end users are getting "untrusted issuer" error when accessing a HTTPS website with SSL decryption through Prisma Access.
- On the same computer, the same user is not getting the "untrusted issuer" error when accessing the same HTTPS website without going through Prisma Access.
Environment
- Prisma Access Remote Network
- Prisma Access Mobile User Gateway
- SSL decryption with "Block sessions with untrusted issuers" turned on
Cause
Sometimes the website server doesn't provide the full chain for the SSL certificate for the URL/Hostname. When SSL decryption is turned on, the Prisma Access firewall is not able to download the required intermediate CA certificate for the visited website, so it is blocking the connection with "untrusted issuer".
Resolution
For Panorama managed Prisma Access, please follow the below KB to import the intermediate certificate into Panorama and then push it to Prisma Access Remote Network and Mobile User - For Cloud managed Prisma Access, please follow the below steps -
- Download the intermediate certificate from the CA's official website
- In Prisma Access cloud management portal, navigate to Manage - Configuration - Objects - Certificate Management
- Click on the "Import" button -
- Fill in the certificate name, upload the downloaded certificate file, put key file and passphrase as required and Save
- Push the configuration to Remote Network or Mobile User as needed.