https://live.paloaltonetworks.com/t5/next-generation-firewall/decryption-failed/m-p/591990#M3410 <P>Hi guys ,&nbsp;</P> <P>PA820 . OS Version 10.2.9-h1</P> <P>&nbsp;</P> <P>I am try using the decryption function to see more application information<BR />I generated the CA certificate from PA and imported it locally.</P> <P>From the decryption log, I saw many errors with various URLs.<BR />Can anyone help explain how to eliminate this?</P> <P>&nbsp;</P> <P>error eq 'Received fatal alert CertificateUnknown from client. CA Issuer URL (truncated):<A href="http://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1" target="_blank" rel="noopener">http://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1</A>' <BR />URL: <A href="http://aia.entrust.net/l1k-chain256.cer" target="_blank" rel="noopener">http://aia.entrust.net/l1k-chain256.cer</A>'</P> Mon, 15 Jul 2024 08:58:33 GMT HY_Cheng 2024-07-15T08:58:33Z https://live.paloaltonetworks.com/t5/next-generation-firewall/decryption-failed/m-p/591990#M3410 <P>Hi guys ,&nbsp;</P> <P>PA820 . OS Version 10.2.9-h1</P> <P>&nbsp;</P> <P>I am try using the decryption function to see more application information<BR />I generated the CA certificate from PA and imported it locally.</P> <P>From the decryption log, I saw many errors with various URLs.<BR />Can anyone help explain how to eliminate this?</P> <P>&nbsp;</P> <P>error eq 'Received fatal alert CertificateUnknown from client. CA Issuer URL (truncated):<A href="http://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1" target="_blank" rel="noopener">http://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1</A>' <BR />URL: <A href="http://aia.entrust.net/l1k-chain256.cer" target="_blank" rel="noopener">http://aia.entrust.net/l1k-chain256.cer</A>'</P> Mon, 15 Jul 2024 08:58:33 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/decryption-failed/m-p/591990#M3410 HY_Cheng 2024-07-15T08:58:33Z https://live.paloaltonetworks.com/t5/next-generation-firewall/decryption-failed/m-p/591993#M3411 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/319731">@HY_Cheng</a>&nbsp;</P> <P>&nbsp;</P> <P>It seems like you're dealing with a classic incomplete chain issue.</P> <P>This often occurs with SSL/TLS certificates when the server doesn't provide the full certificate chain, excluding the root certificate.</P> <P><A href="https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/troubleshoot-and-monitor-decryption/decryption-logs/repair-incomplete-certificate-chains" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/troubleshoot-and-monitor-decryption/decryption-logs/repair-incomplete-certificate-chains</A>&nbsp;</P> <P>&nbsp;</P> Mon, 15 Jul 2024 09:14:39 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/decryption-failed/m-p/591993#M3411 CosminM 2024-07-15T09:14:39Z https://live.paloaltonetworks.com/t5/next-generation-firewall/decryption-failed/m-p/592198#M3419 <P>What exactly did you do when you generated the CA certificate from PA and imported in locally?</P> Tue, 16 Jul 2024 16:12:48 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/decryption-failed/m-p/592198#M3419 rmfalconer 2024-07-16T16:12:48Z https://live.paloaltonetworks.com/t5/next-generation-firewall/decryption-failed/m-p/592506#M3444 <P>I followed the file settings, and the text did not mention the need for a complete certificate chain.</P> <P>&nbsp;</P> <P>Only use self-signed CAs and choose to forward trust certificates</P> <P>&nbsp;</P> <P>From the traffic log, I can see that the appplication can be identified, but I still see a similar error in the decryption log. Is it necessary to complete the credential chain for a specific connection to eliminate this problem?<BR />Any ideas?</P> <P>&nbsp;</P> <P>Thank you so much</P> <P><A href="https://knowledgebase-paloaltonetworks-com.translate.goog/KCSArticleDetail?id=kA10g000000ClmyCAC&amp;_x_tr_sl=auto&amp;_x_tr_tl=zh-TW&amp;_x_tr_hl=zh-TW" target="_blank">https://knowledgebase-paloaltonetworks-com.translate.goog/KCSArticleDetail?id=kA10g000000ClmyCAC&amp;_x_tr_sl=auto&amp;_x_tr_tl=zh-TW&amp;_x_tr_hl=zh-TW</A></P> Fri, 19 Jul 2024 01:41:43 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/decryption-failed/m-p/592506#M3444 HY_Cheng 2024-07-19T01:41:43Z https://live.paloaltonetworks.com/t5/next-generation-firewall/decryption-failed/m-p/592507#M3445 <P>I followed the documentation settings, generated a self-signed CA and chose to forward the trust certificate<BR />Import the local trusted root certificate authority and set the porfile/policy<BR />Try to connect to check the traffic</P> <P>&nbsp;</P> <P><A href="https://knowledgebase-paloaltonetworks-com.translate.goog/KCSArticleDetail?id=kA10g000000ClmyCAC&amp;_x_tr_sl=auto&amp;_x_tr_tl=zh-TW&amp;_x_tr_hl=zh-TW" target="_blank">https://knowledgebase-paloaltonetworks-com.translate.goog/KCSArticleDetail?id=kA10g000000ClmyCAC&amp;_x_tr_sl=auto&amp;_x_tr_tl=zh-TW&amp;_x_tr_hl=zh-TW</A></P> Fri, 19 Jul 2024 01:44:33 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/decryption-failed/m-p/592507#M3445 HY_Cheng 2024-07-19T01:44:33Z https://live.paloaltonetworks.com/t5/next-generation-firewall/decryption-failed/m-p/592789#M3472 <P>What type of client are you using? Are they Windows machines? If so, when you browse the Trusted Root Certification Authorities store, do you see it there?</P> Tue, 23 Jul 2024 13:06:32 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/decryption-failed/m-p/592789#M3472 rmfalconer 2024-07-23T13:06:32Z