EDL update fails with error "Server certificate authentication failed. A local copy of associated external dynamic list will be used, so it won’t impact your policy"

• EDL fails to fetch updates from the URL: 

https://edl-choc.xdr.us.paloaltonetworks.com/block_list?type=ip

• Traffic and threat policies using the EDL continue to function using the cached copy, but the EDL is not updated.
• Manual refresh attempts result in the following error in system logs:

EDL server certificate authentication failed. A local copy of associated external dynamic list will be used, so it won’t impact your policy.
EDL Name: XDR-IPs,
EDL Source URL: https://edl-choc.xdr.us.paloaltonetworks.com/block_list?type=ip,
CN: *.xdr.us.paloaltonetworks.com,
Reason: self signed certificate in certificate chain

• There are other possible reasons for the error message. This article addresses the certificate issue.

• Palo Alto Networks NGFW
• PAN-OS (any supported version)
• EDL over HTTPS with certificate validation enabled
• Cortex XDR 

The firewall is unable to validate the complete SSL certificate chain presented by the EDL server (`.xdr.us.paloaltonetworks.com`).

Possible causes:

• Missing or untrusted intermediate or root CA certificates
• The server presents a chain with a self-signed certificate
• The firewall’s certificate store lacks one or more required CA certs

Step 1: Retrieve the Certificate Chain:

1. Run the following command from a Linux/Unix system or root shell on the firewall (if enabled):

openssl s_client -showcerts -connect edl-choc.xdr.us.paloaltonetworks.com:443

2. Copy all certificates shown in the output (from `-----BEGIN CERTIFICATE-----` to `-----END CERTIFICATE-----`).

Step 2: Save and Import Certificates:

1. Paste each certificate into separate text files (e.g., `root.crt`, `intermediate.crt`).
2. On the firewall UI, go to Device > Certificate Management > Certificates.
3. Click Import and select the `.crt` file.
4. For CA certificates, ensure "Trusted Root CA" is checked during import.

Step 3: Create Certificate Profile (if not created):

1. Navigate to Device > Certificate Management > Certificate Profile.
2. Under CA Certificates, add the imported root and intermediate certificates.

Step 4: Apply Certificate Profile to EDL:

1. Go to Objects > External Dynamic Lists.
2. Edit the affected EDL (e.g., `XDR-IPs`).
3. Under Certificate Profile, select the one you just created.
4. Click OK and commit the changes.

Step 5: Refresh the EDL:

1. Still under Objects > External Dynamic Lists, click Refresh/Import on the affected EDL.
2. If successful, the message should show in the task manager: 

"Successfully fetched external dynamic list..."

• EDL server certificate authentication failed. A local copy of associated external dynamic list will be used.
• Live Community: EDL Certificate Auth Failure
• PAN-OS EDL Admin Guide
• Cortex XDR
• View External Dynamic List Entries