Certificate Error with reason: untrusted issuer although issuer is well known public CA certificate.

Certificate Error with reason: untrusted issuer although issuer is well known public CA certificate.

56140
Created On 10/12/22 05:49 AM - Last Modified 04/02/25 13:52 PM


Symptom


  • With SSL decryption enabled, when trying to access a website, getting blocked page with reason: untrusted issuer.
In this snapshot, the issuer is a well-known public CA: DigiCert SHA2 Extended Validation Server CA but still we see reason: untrusted issuer.
 
Cert1.png
  • Decryption profile is configured to Block sessions with untrusted issuers 
Cert2.PNG
  • Website has Incomplete chain issue. This can be checked from SSLlabs
  • In packet capture, the website is sending only server certificate (without Intermediate/Root certificate).
  • Without firewall in between or decryption disabled, the site loads with no issues.
 

Environment


  • Palo Alto Firewalls
  • Supported PAN-OS
  • Decryption enabled.

Cause


  • Website is not sending complete chain of certificate; it is configured to use server certificate only without proper chain/intermediate certificate.
  • The issue doesn't occur on browser because they have enough compute to fetch an intermediate CA if a website does not provide the full chain.
 

Resolution


Issue can be resolved by any one of the following resolutions:
  1. Fix the certificate chain issue on the website (contact website owner if required) 
  2. Manually import the intermediate certificate under Setup-->Certificate management-->Certificate-->Device Certificates and mark it "trusted Root CA"
Cert3.PNG
  1. Uncheck "Block sessions with untrusted issuers" in the decryption profile. 

Additional Information


  1. Why is the well known public CA certificate not present in Setup-->Certificate management-->Certificate-->Default Trusted Certificate Authorities ?
PanOS firewalls do not maintain a repository of intermediate certificates. It only maintains a repository of public Root CAs under "Default Trusted Certificate Authorities" because it is very difficult to track/monitor intermediate CA’s globally.
  1. Why can't PA-FW fetch the intermediate certificate like a browser does?
PanOS firewalls can not fetch the intermediate certificate because it is computationally difficult to do so while buffering a client connection for SSL decryption.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kEUSCA2&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language