topic Re: SSL Decryption - replacing Forward Trust Certificate not working for IOS devices in General Topics

SSL Decryption - replacing Forward Trust Certificate not working for IOS devices

Ben-Price — Fri, 21 Jan 2022 01:41:03 GMT

Hi All,

The Forward Trust certificate on a PA-820 firewall pair was expiring, so we issued a new SubCA certificate from the Windows ADCS root CA server and updated it on the firewall. The certificate was imported with a 2048bit key and there is a password on the key. Since switching over to the new certificate for forward trust (SSL Decryption), IOS devices are no longer able to browse to the internet when an SSL Decryption policy is applied, where Windows devices are able to without issue. The IOS devices show an error “This connection is not private”.

I have verified the certificate trust chain is valid and correct on other devices, and I have verified that the root CA is trusted on the IOS devices. Switching back to the old certificate fixes the issue, however this certificate has now expired.

I have also tried re-issuing the SubCA certificate several times with various changes without any success. The Decryption profile supports tls 1.0 -1.2, however I also tried enabling 1.3 and this made no difference. (this has been reverted now).

In the decryption log on the firewall I see the following errors “Received fatal alert CertificateUnknown from client. CA Issuer URL…>”

I have tried Chrome and Safari.

I have tried IOS 14 and 15 (latest).

All websites are affected

Used the same certificate template as the previous SubCA cert

Restarted management server

Does anyone have any idea what may be causing this issue and what steps we can take to diagnose and resolve the issue?

Re: SSL Decryption - replacing Forward Trust Certificate not working for IOS devices

BPry — Fri, 21 Jan 2022 03:44:14 GMT

@Ben-Price,

Do the iOS devices have the new SubCA added as a trusted certificate within their certificate store or the required root/intermediate certificates for this SubCA cert to be trusted? Right off the bat I would really look at the certificates your forcing on iOS through I would assume your MDM solution.

Re: SSL Decryption - replacing Forward Trust Certificate not working for IOS devices

Ben-Price — Fri, 21 Jan 2022 03:56:50 GMT

@BPry Yes, the required root CA is trusted on the iOS devices. It is the same Root CA that issued the last SubCA cert. Tried installing the SubCA cert on the iOS device and trusting that but still the same issue.

Re: SSL Decryption - replacing Forward Trust Certificate not working for IOS devices

Jake_Aguinaga — Tue, 06 Sep 2022 15:33:09 GMT

Did you ever get this resolved. Running into very similar issue with mac/ios.

Re: SSL Decryption - replacing Forward Trust Certificate not working for IOS devices

jorgensovik — Wed, 14 Sep 2022 07:53:35 GMT

It looks like in PANOS 10.2 you have to create the forward trust CA on the firewall, and not from another CA. Could be the same issue with other OS versions as well.

Recreating the trust CA on the firewall fixed my problem in 10.2

Re: SSL Decryption - replacing Forward Trust Certificate not working for IOS devices

christian_pacher — Fri, 07 Jul 2023 13:15:39 GMT

Problem was related (in my case) to the encryption length of the sub CA. For IOS and Linux devices the subCA must have a minimum length of 3072 Bit (CA/Browser Forum should have decided that starting from 1/06/2021 )

Re: SSL Decryption - replacing Forward Trust Certificate not working for IOS devices

rmfalconer — Tue, 11 Jul 2023 15:52:37 GMT

The fix has been in place for a while but it's worth posting this in case people run into this issue. There was an issue that impacted MAC devices, was fixed in 10.2.3+ and 10.1.8+

With Decryption enabled, macOS Monterey and above are having ce... - Knowledge Base - Palo Alto Networks