topic Re: How to get the full CA Issuer URL when it is truncated in the decryption log in General Topics

How to get the full CA Issuer URL when it is truncated in the decryption log

Hamid.Saffarzadeh — Tue, 26 Jul 2022 12:39:10 GMT

Hi guys,

I am checking the decryption logs, to repair the certificate chain as mentioned in the guide below:

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/troubleshoot-and-monitor-decryption/decryption-logs/repair-incomplete-certificate-chains

The issue is some cannot provide the full URL of the missing root CA/Issuer, for instance:

( error eq 'Received fatal alert CertificateUnknown from client. CA Issuer URL (truncated):http://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20TLS%2' )

I was wondering if there is any way to retrieve this address in full to proceed with certificate chain repair.

Regards,

Hamid Saffarzadeh

Re: How to get the full CA Issuer URL when it is truncated in the decryption log

Hamid.Saffarzadeh — Mon, 22 Aug 2022 13:27:40 GMT

Hi team,

It seems adding a .crl or .crt at the end of the address should help. Also, when they are usually Microsoft certs adding the .crl doesn't work, however, we can test by getting the certificates from https://www.microsoft.com/pki/mscorp/cps/default.htm

Cheers,

Hamid

Re: How to get the full CA Issuer URL when it is truncated in the decryption log

jplotkin — Thu, 06 Apr 2023 14:40:39 GMT

Make sure you have the Client SSL Cert in the correct location. Internet Options -> Content -> Certificates -> Import -> select your cert -> Select Place all certificates in the following store -> Browser -> Trusted Root Certification Authorities directory.

That solved our problem.

Re: How to get the full CA Issuer URL when it is truncated in the decryption log

VirupakshaRajapur — Wed, 01 Nov 2023 15:43:00 GMT

Hi,

Anyone get the solution for this issue. we are getting the same issue

Received fatal alert CertificateUnknown from client. CA Issuer URL (truncated):http://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%2

We are looking for the permanent fix as solution given in below article is the workaround for which lot of manual task need to do.

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/troubleshoot-and-monitor-decryption/decryption-logs/repair-incomplete-certificate-chains

Re: How to get the full CA Issuer URL when it is truncated in the decryption log

EddieJimenez — Wed, 12 Feb 2025 15:12:38 GMT

I found the http address for the crt chain through a packet capture.

If you filter for TLS you can see it in the server hello. Just follow the TCP stream and it will show you where they are coming from.

http://www.microsoft.com/pkiops/certs/Microsoft%20Update%20Secure%20Server%20CA%202.1.crt

http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt

Hope this helps.