Why is "CA Issuer URL:" not shown in the ERROR column of Decryption Log?

Why is "CA Issuer URL:" not shown in the ERROR column of Decryption Log?

• PA-Series Next-Generation Firewalls
• Supported PAN-OS versions

1. When the certificate checked through Certificate Viewer of the browser does not contain a "CA Issuers" URI in the X.509 "Authority Information Access" field, then PaloAlto Firewalls do not log a "CA Issuer URL:" to the ERROR column of Decryption Log as it is not available.
2. This is by design and not an issue.

• If a website has one or more missing intermediate certificates and the Decryption profile blocks sessions with untrusted issuers
• Then one can find and download the missing intermediate certificate and install it on the NGFW as a trusted root CA
• Now that the NGFW trusts the site's server by following the steps written in the below document.
• Refer to Repair Incomplete Certificate Chains.
• Most of the cases, "CA Issuer URL:" is printed to the ERROR column like below sample.

Received fatal alert CertificateUnknown from client. CA Issuer URL: http://XXX.XXXXXXXXX.com/XXXXXXXXXXXXXXX.crt

• However, under certain conditions, "CA Issuer URL:" may not appear in the ERROR column like below sample.

Received fatal alert CertificateUnknown from client 

• Sample Decryption Logs on Web Interface: