Some applications fails to connect with error "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Missing Authority Key Identifier" with SSL decryption

• The client application requires TLS session with the server and strict certificate validation, needing the Authority key identifier (AKID) in the server's certificate for trust.
• When the client application traffic is sent through Prisma Access Or Palo Alto Strata firewall with SSL decryption enabled, the connection fails because the certificate presented to the client does not contain the AKID field. 
• There are no error in the decryption logs on the Prisma Access/ Strata side for this connection. 

• Palo Alto NGFW firewalls
• Prisma Access Firewalls
• Supported PAN-OS

• The Prisma Access in this case is performing SSL decryption and strips off the AKID field from the server certificate if the PanOS version is  lower than ( 11.2.7, 11.2.8, 12.1.2, 11.1.11, 10.2.15, 10.2.17, 10.2.13-h7, 10.2.4-h38, 10.2.10-h18)
• Even if the PanOS is upgraded to one of the above versions, The forward trust certificate needs to have the SKID (Subject Key Identifier ) and AKID in it for the rewritten certificate to have the AKID field.
• Run the command "debug dataplane set ssl-decrypt akid-disable no" on the firewall or Prisma Access instances to enable the functionality. 
• If the forward trust certificate does not have SKID field, the certificate post decryption will not have AKID field post decryption. 
• This command is reboot and PAN-OS upgrade persistent.
• From PanOS 12.1 and above, there will be no need to run the command manually as the default behaviour would be disabled no state (meaning the firewall does not strip the akid field).

• Check the Dataaplane or PAN-OS version. 
• The PAN-OS version needs to be either equal to one of the versions mentioned above or higher. 
• Once confirmed, follow these steps below.

1. Generate the Forward trust certificate outside of Panorama (Strata Cloud Manager), ensuring inclusion of the AKID and SKID fields.
2. Import the newly generated certificate into the Panorama environment.
3. Enable Forward trust for the certificate (during a maintenance window).
4. Conduct thorough testing after enabling Forward Trust, including user connectivity to required applications and general web browsing to ensure all applications are functioning correctly.
5. Monitor the environment closely for further certificate-related issues

• Here are some suggested steps to generate a certificate using OpenSSL to make sure the certificate contains the AKID and SKID extensions.
• This certificate should then be imported in the Panorama /Strata Cloud manager with the key.
• Then trusted root CA and forward trust should be enabled on these certificates to make sure the  SSL decryption can provide AKID field in the certificate post decryption. 
• The steps shown below are general steps to generate certificate using OpenSSL for reference only. The administrator can use any other method using the organisations's PKI infra as needed or contact their IT team for further guidance. 

openssl genrsa -out ca.key.pem 4096 ## generate the key
openssl req -new -key ca.key.pem -out ca.csr.pem -subj "/C=AU/ST=VIC/L=Melbourne/O=MyOrg/OU=MyUnit/CN=My CA".    ## generate the CSR


##Create a openssl.cnf Configuration File
##You need a config file because AKID and SKID must be set during signing.
[ req ]
default_bits       = 4096
distinguished_name = req_distinguished_name
x509_extensions    = v3_ca
prompt             = no

[ req_distinguished_name ]
C  = AU
ST = VIC
L  = Melbourne
O  = MyOrg
OU = MyUnit
CN = My CA

[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign



openssl req -x509 -new -nodes -key ca.key.pem -sha256 -days 3650 \   -out ca.cert.pem -config ca_openssl.cnf.    ## generates the certificate

openssl x509 -in ca.cert.pem -text -noout.   ## validate the certificate

####ca.cert.pem is created. This is the certificate