Certificate Error with reason: untrusted issuer although issuer is well known public CA certificate.
56140
Created On 10/12/22 05:49 AM - Last Modified 04/02/25 13:52 PM
Symptom
- With SSL decryption enabled, when trying to access a website, getting blocked page with reason: untrusted issuer.
In this snapshot, the issuer is a well-known public CA: DigiCert SHA2 Extended Validation Server CA but still we see reason: untrusted issuer.
- Decryption profile is configured to Block sessions with untrusted issuers
- Website has Incomplete chain issue. This can be checked from SSLlabs
- In packet capture, the website is sending only server certificate (without Intermediate/Root certificate).
- Without firewall in between or decryption disabled, the site loads with no issues.
Environment
- Palo Alto Firewalls
- Supported PAN-OS
- Decryption enabled.
Cause
- Website is not sending complete chain of certificate; it is configured to use server certificate only without proper chain/intermediate certificate.
- The issue doesn't occur on browser because they have enough compute to fetch an intermediate CA if a website does not provide the full chain.
Resolution
Issue can be resolved by any one of the following resolutions:
- Fix the certificate chain issue on the website (contact website owner if required)
- Manually import the intermediate certificate under Setup-->Certificate management-->Certificate-->Device Certificates and mark it "trusted Root CA"
- Uncheck "Block sessions with untrusted issuers" in the decryption profile.
Additional Information
- Why is the well known public CA certificate not present in Setup-->Certificate management-->Certificate-->Default Trusted Certificate Authorities ?
PanOS firewalls do not maintain a repository of intermediate certificates. It only maintains a repository of public Root CAs under "Default Trusted Certificate Authorities" because it is very difficult to track/monitor intermediate CA’s globally.
- Why can't PA-FW fetch the intermediate certificate like a browser does?
PanOS firewalls can not fetch the intermediate certificate because it is computationally difficult to do so while buffering a client connection for SSL decryption.