Decryption errors to sites and services beginning March 8 2023

Decryption errors to sites and services beginning March 8 2023

6385
Created On 03/08/23 15:43 PM - Last Modified 03/09/23 00:06 AM


Symptom


Increased decryption errors to sites and services beginning March 8, 2023 1200GMT

Environment


  • Palo Alto Firewalls
  • Supported PAN-OS
  • SSL Decryption
  • Manually imported DigiCert SHA2 Secure Server CA certificate

Cause


This is caused by the imported certificate "DigiCert SHA2 Secure Server CA" expiring March 8, 2023 at 1200GMT.
This certificate may have been imported due to an incomplete certificate chain as outlined in the PAN-OS Administrators Guide.

Expired Certificate:Expired certificate on firewall

Resolution


- Remove the expired "DigiCert SHA2 Secure Server CA" certificate from the firewalls or download the latest one from DigiCert and import it to the firewalls.

Expired Certificate:
Expired DigiCert

New Certificate:
New DigiCert

Additional Information


Steps to remove the cert:
  1. Login to WebUI, Navigate to Device>Certificate>Device Certificate
  2. Select expired certificate "DigiCert SHA2 Secure Server CA" and delete.
Steps to import the cert:
  1. After downloading the cert from digicert website
  2. Navigate to Device>Certificate>Device Certificate and import.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sb2MCAQ&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail