Firewall is stripping AKID from the server certificate during SSL decryption despite upgrading to a patched version.

• PAN-OS strips the AKID of the server certificate during ssl decryption after signing it with configured forward trust certificate.
• This causes issues with apps using python 3.13 subject to decryption.
• Since AKID is mandatory for strict certificate verification, some apps using python3.13 stop working ,
•  Since AKID is stipped by PAN-OS, python3.13 displays the error message as below

error: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Missing Authority Key Identifier (_ssl.c:1018)>

• This issue is fixed under PAN-278150.  Thee PAN-OS  will add the AKID to the server cert if both server certificate and the signing forward trust cert contain the SKID.
• However Even after the upgrade we see the AKID is still stripped.

• Palo Alto NGFW Firewalls
• Supported PAN-OS
• SSL Decryption
• Authority Key Identifier (AKID)

A new CLI command has been introduced which needs to be enabled.

1. After upgrade to fixed version, disable the AKID strip with the command

debug dataplane set ssl-decrypt akid-disable no  => The options are yes/no. The no option disables the strip of AKID

2. The setting can be verified using the following command.

show system state filter cfg.ssl-*

PAN-278150

• The new CLI command is listed below.

debug dataplane set ssl-decrypt akid-disable yes/no

• This  translates into a sdb variable.
• The default setting is disabled on on all releases till 12.X.

cfg.ssl-decrypt.akid-disable=True/False