With Decryption enabled, macOS Monterey and above are having certificate trust issues with PAN-OS 10.2.2+ or 10.1.7

With Decryption enabled, macOS Monterey and above are having certificate trust issues with PAN-OS 10.2.2+ or 10.1.7

10439
Created On 09/30/22 12:39 PM - Last Modified 09/30/22 21:26 PM


Symptom


For users of MacOS Monterey and later versions, it can result in certificate trust issues when all of the following conditions are met:
  • Decryption enabled on firewall
  • PANOS version 10.2.2 and 10.1.7
  • Safari and Chrome browsers, but not Firefox

Environment


  • Any Palo Alto Firewalls
  • PAN-OS 10.2.2+ & 10.1.7
  • Decryption Enabled.

Cause


  • Support for parsing the Server Key Identified (SKID) and Authority Key Identifier (AKID) extensions was added in 10.1.7 and 10.2.2.
  • However the enhancement also set a flag to copy the AKID extension from the original certificate to the new certificate, causing some browsers to fail to validate the certificate because the AKID of the server certificate did not match the SKID of the forward trust certificate.

Reference PAN-199099.

 


 

Resolution


Following workaround can be applied to mitigate this issue

  1. Use a Forward Trust CA that does not contain an Authority Key Identifier (AKID) nor a Server Key Identifier (SKID). This is standard in PAN firewall created certs.
  2. Fix is available in the recently released PAN-OS 10.2.3 (Refer PAN-199099)
  3. Fix is targeted in 10.1.8
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sZJuCAM&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language