Browser reports invalid CA error when accessing some secure HSTS websites when decryption is enabled
9779
Created On 03/09/23 01:23 AM - Last Modified 11/11/24 23:39 PM
Symptom
- Web Browser reports invalid CA error when accessing some secure HSTS websites when decryption is enabled.
- Example (from Chrome):
|
Your connection is not private Attackers might be trying to steal your information from gmail.com (for example, passwords, messages, or credit cards). Learn more *** normally uses encryption to protect your information. When Chrome tried to connect to *** this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be ***, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Chrome stopped the connection before any data was exchanged. |
Environment
- Palo Alto Firewalls
- Supported PAN-OS
- Decryption
- HTTP Strict Transport Security (HSTS) websites
Cause
- The secure website server can return a HTTP Strict Transport Security (HSTS) header in its HTTPS response.
- When this happens, browser such as Chrome will not allow the HTTPS connection to proceed if the server certificate is not signed by a trusted root CA.
Resolution
Import the decryption certificate into the computer certificate store.
Additional Information
Note:
- Generally If the certificate is not installed, the browser gives a warning about server cert not being trusted.
- The user can still proceed accepting the risk.
- However if the website uses HSTS, Chrome will report invalid CA and not allow to proceed any further.
- For this reason the decryption certificate must be imported into the computer certification store.