https://live.paloaltonetworks.com/t5/general-topics/pan-and-intermediate-cas/m-p/519973#M107792 <P>Hey&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/220841">@JayGolf</a>&nbsp;&nbsp;</P> <P>Thank you for reply and useful info. But it still seems a bit strange; almost every (if not every) website is signed by intermediate CA. After implementing and testing decryption (with certificate checks on PA) everything worked without adding any intermediate CAs. So are some intermediate CAs already included as Trusted CAs? Of course we didn't try every possible website but we didn't notice any issues then on websites we tried.</P> <P>Then last week there were suddenly lots of cases of having to import Intermediate CAs.</P> <P>&nbsp;</P> <P>And let's take for example google.com. It's signed by intermediate CA "<SPAN>GTS CA 1C3" which i never manually imported and is not among Default Trusted CAs. But i'm pretty sure the customer can access it otherwise they would report it ages ago.</SPAN></P> <P>&nbsp;</P> <P><SPAN>So what is the actual story with trust for Intermediate CAs?</SPAN></P> Wed, 02 Nov 2022 09:31:30 GMT santonic 2022-11-02T09:31:30Z https://live.paloaltonetworks.com/t5/general-topics/pan-and-intermediate-cas/m-p/519373#M107688 <P>Last couple of days I've had quite a few cases where I had to manually add intermediate CAs as a Trusted Root CA in order for decryption to work (for customers blocking untrusted CAs already on firewall).</P> <P>&nbsp;</P> <P>These are quite well known intermediate CAs like:&nbsp;</P> <P>DigiCert TLS RSA SHA256 2020 CA1</P> <P>GeoTrust RSA CA 2018</P> <P>Entrust Certification Authority - L1K</P> <P>Entrust Certification Authority - L1M</P> <P>GEANT OV RSA CA 4</P> <P>&nbsp;</P> <P>How come PAN's trusted Root CA list is lacking so many? How is it updated? Via content updates? I have content updates schduled daily.</P> <P>Anyone else having issues with this? I know there was only some to add in the past. But last couple of days I really had many to add at different customers.</P> <P><LI-PRODUCT title="SSL Decryption" id="SSL_Decryption"></LI-PRODUCT>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 27 Oct 2022 11:29:55 GMT https://live.paloaltonetworks.com/t5/general-topics/pan-and-intermediate-cas/m-p/519373#M107688 santonic 2022-10-27T11:29:55Z https://live.paloaltonetworks.com/t5/general-topics/pan-and-intermediate-cas/m-p/519965#M107786 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/10238">@santonic</a>&nbsp;,</P> <P>&nbsp;</P> <P>I found this regarding int-CAs "<SPAN>the firewall does not trust intermediate CAs by default because intermediate CAs are not a part of the chain of trust between the firewall and the trusted root CA. You must manually add any intermediate CAs that you want the firewall to trust, along with any additional trusted enterprise CAs that your organization requires" from <A href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/device/device-certificate-management-certificates/manage-default-trusted-certificate-authorities" target="_self">Manage Default Trusted Certificate Authoritie</A>s.</SPAN></P> <DIV class="banner"> <DIV class="banner-inner"> <H1>&nbsp;</H1> </DIV> </DIV> <DIV class="content"> <DIV class="content-inner"> <DIV class="book-detail-pagination"> <DIV>&nbsp;</DIV> </DIV> </DIV> </DIV> Wed, 02 Nov 2022 07:41:55 GMT https://live.paloaltonetworks.com/t5/general-topics/pan-and-intermediate-cas/m-p/519965#M107786 JayGolf 2022-11-02T07:41:55Z https://live.paloaltonetworks.com/t5/general-topics/pan-and-intermediate-cas/m-p/519973#M107792 <P>Hey&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/220841">@JayGolf</a>&nbsp;&nbsp;</P> <P>Thank you for reply and useful info. But it still seems a bit strange; almost every (if not every) website is signed by intermediate CA. After implementing and testing decryption (with certificate checks on PA) everything worked without adding any intermediate CAs. So are some intermediate CAs already included as Trusted CAs? Of course we didn't try every possible website but we didn't notice any issues then on websites we tried.</P> <P>Then last week there were suddenly lots of cases of having to import Intermediate CAs.</P> <P>&nbsp;</P> <P>And let's take for example google.com. It's signed by intermediate CA "<SPAN>GTS CA 1C3" which i never manually imported and is not among Default Trusted CAs. But i'm pretty sure the customer can access it otherwise they would report it ages ago.</SPAN></P> <P>&nbsp;</P> <P><SPAN>So what is the actual story with trust for Intermediate CAs?</SPAN></P> Wed, 02 Nov 2022 09:31:30 GMT https://live.paloaltonetworks.com/t5/general-topics/pan-and-intermediate-cas/m-p/519973#M107792 santonic 2022-11-02T09:31:30Z