Decryption errors to sites and services beginning March 8 2023 - Knowledge Base - Palo Alto Networks

Decryption errors to sites and services beginning March 8 2023

8098

Created On 03/08/23 15:43 PM - Last Modified 02/10/25 21:08 PM

Decryption Policy

Decryption

9.1

10.0

10.2

10.1

11.0

PAN-OS

Next-Generation Firewall

Symptom

Increased decryption errors to sites and services beginning March 8, 2023 1200GMT

Environment

Palo Alto Firewalls
Supported PAN-OS
SSL Decryption
Manually imported DigiCert SHA2 Secure Server CA certificate

Cause

This is caused by the imported certificate "DigiCert SHA2 Secure Server CA" expiring March 8, 2023 at 1200GMT.
This certificate may have been imported due to an incomplete certificate chain as outlined in the PAN-OS Administrators Guide.

Expired Certificate: Expired certificate on firewall

Resolution

- Remove the expired "DigiCert SHA2 Secure Server CA" certificate from the firewalls or download the latest one from DigiCert and import it to the firewalls.

Expired Certificate:
Expired DigiCert

New Certificate:
New DigiCert

Additional Information

Steps to remove the cert:

Login to WebUI, Navigate to Device>Certificate>Device Certificate
Select expired certificate "DigiCert SHA2 Secure Server CA" and delete.

Steps to import the cert:

After downloading the cert from digicert website
Navigate to Device>Certificate>Device Certificate and import.

Other users also viewed:

How to download GlobalProtect from the Customer Support Portal

Download and Install the GlobalProtect App for Windows

Resource List: GlobalProtect Configuring and Troubleshooting

PAN-OS Software Updates

Where to find the current preferred software versions? (PAN-OS, GlobalProtect, User-ID Agent, Plugins)