topic Sectigo Root CA Trusted Store Request in General Topics

Sectigo Root CA Trusted Store Request

L.Yalezo — Wed, 28 Jan 2026 11:38:03 GMT

Greetings,

Sectigo has (recently) updated their Public Root Certificates (mid-2025), introducing new roots including:

- RSA: Sectigo Public Server Authentication Root R46(https://crt.sh/?d=4256644734)

KB Articles for reference: https://www.sectigo.com/knowledge-base/detail/Sectigo-Root-Certificates

https://www.sectigo.com/knowledge-base/detail/Sectigo-Root-Certificates

https://www.sectigo.com/knowledge-base/detail/Sectigo-new-Public-Roots-and-Issuing-CAs-Hierarchy

https://www.sectigo.com/resource-library/changes-to-root-ca-hierarchies-and-trust-status

Currently, this root certificate is not present in Palo Alto’s Default Trusted Certificate Authorities store, as it is relatively new. The following Sectigo/COMODO roots are included today:

USERTrust RSA Certification Authority - https://crt.sh/?id=1199354

USERTrust ECC Certification Authority - https://crt.sh/?id=2841410
COMODO RSA Certification Authority - https://crt.sh/?id=1720081
COMODO ECC Certification Authority - https://crt.sh/?id=2835394

Would it be possible to have Sectigo Public Server Authentication Root R46 (https://crt.sh/?d=4256644734) included in Palo Alto's Default Trusted Certificate Authority store?

Re: Sectigo Root CA Trusted Store Request

kiwi — Wed, 28 Jan 2026 11:50:19 GMT

Hi @L.Yalezo ,

In the Palo Alto ecosystem, the Default Trusted Certificate Authorities store is historically updated via major PAN-OS releases (e.g., moving from 10.2.x to 11.1.x or 11.2.x).

PAN-OS Updates: This is the primary vehicle for permanent root store changes. Palo Alto usually syncs their default store with the Mozilla/Google root programs during the development of a new maintenance or feature release.

It will likely appear in a future release of the 11.2 or 12.0 trains.

Manual import is a workaround to address the issue.

Kind regards,

Re: Sectigo Root CA Trusted Store Request

L.Yalezo — Wed, 28 Jan 2026 12:20:13 GMT

Hi @kiwi

Thank you for the prompt feedback.

It’s possible that this root certificate, along with others, will be included in future releases of the 11.2 or 12.x trains, pending Palo Alto’s vetting process given that they are fairly new. According to this blog: https://blog.bressem.com/2025/11/palo-alto-is-missing-the-new-sectigo-root-cas/ this root certificate is still missing in versions 11.2.7-h4, 11.2.10 and 12.1.3-h1.

I was wondering if perhaps there are avenues to submit a feature request for including this root certificate, like one would do when requesting a reclassification of an application.

Many thanks.

Re: Sectigo Root CA Trusted Store Request

JayGolf — Thu, 29 Jan 2026 04:07:09 GMT

Hi @L.Yalezo ,

Currently, there is no code-level resolution for automatically updating this list outside of major PAN-OS releases nor is there a "feature request" for this.

You can manually import it as a trusted root CA to ensure that your firewall trusts the new Sectigo root certs.

Re: Sectigo Root CA Trusted Store Request

L.Yalezo — Thu, 29 Jan 2026 04:20:46 GMT

@JayGolf

Thank you.

Re: Sectigo Root CA Trusted Store Request

Brandon_Wertz — Fri, 06 Feb 2026 14:33:04 GMT

@JayGolf wrote:

Hi @L.Yalezo ,

Currently, there is no code-level resolution for automatically updating this list outside of major PAN-OS releases nor is there a "feature request" for this.

You can manually import it as a trusted root CA to ensure that your firewall trusts the new Sectigo root certs.

There is a FR for this, (which is NSFR-I-21203)...At least I'm told there was and that my company was added to the FR. I'll look for it and share it here.

That said this is something that Palo know about for years and something I've been complaining about to palo for the past 5+ years. It's so bad that a whole repo process was setup to solve this issue Palo has ignored.

https://github.com/PaloAltoNetworks/pan-chainguard

There is partial good news. In 12.1.2 Palo is trying to solve the missing intermediate cert issue as PAN-OS will attempt to dynamically download missing intermediate certificates (No current solve for roots, other than the code upgrade.)

Automatic Retrieval of Intermediate Certificates Using AIA

"We introduced a mechanism to fetch intermediate certificates via the AIA extension.
This mechanism can be toggled on/off by a new Decryption Profile setting: “Automatically Fetch Intermediate Certificates”
As part of decryption, when we encounter a server certificate with an incomplete chain, and the AIA CA Issuers extension is present (RFC5280), we will attempt to download an Intermediate CA certificate from the specified URL.
If successful, we cache the intermediate certificate for up to 1 week and use it to validate future traffic." *Caveats: The first session will show untrusted until the intermediate certificate(s) have been fetched*

Note:

This feature must be enabled on a Decryption Profile (“Automatically Fetch Intermediate Certificates”)
The intermediate certificate cache itself is only present on firewalls (not Panorama or SCM)
Panorama and SCM can only enable/disable the feature

https://docs.paloaltonetworks.com/ngfw/release-notes/12-1/features-introduced-in-pan-os/decryption-features

Re: Sectigo Root CA Trusted Store Request

Brandon_Wertz — Fri, 06 Feb 2026 14:33:57 GMT

@JayGolf / @L.Yalezo -- I've updated my post with the FR.

Re: Sectigo Root CA Trusted Store Request

Brandon_Wertz — Tue, 10 Mar 2026 12:26:43 GMT

@Brandon_Wertz wrote:

@JayGolf wrote:

Hi @L.Yalezo ,

Currently, there is no code-level resolution for automatically updating this list outside of major PAN-OS releases nor is there a "feature request" for this.

You can manually import it as a trusted root CA to ensure that your firewall trusts the new Sectigo root certs.

There is a FR for this, (which is NSFR-I-21203)...At least I'm told there was and that my company was added to the FR. I'll look for it and share it here.

That said this is something that Palo know about for years and something I've been complaining about to palo for the past 5+ years. It's so bad that a whole repo process was setup to solve this issue Palo has ignored.

https://github.com/PaloAltoNetworks/pan-chainguard

There is partial good news. In 12.1.2 Palo is trying to solve the missing intermediate cert issue as PAN-OS will attempt to dynamically download missing intermediate certificates (No current solve for roots, other than the code upgrade.)

Automatic Retrieval of Intermediate Certificates Using AIA

"We introduced a mechanism to fetch intermediate certificates via the AIA extension.
This mechanism can be toggled on/off by a new Decryption Profile setting: “Automatically Fetch Intermediate Certificates”
As part of decryption, when we encounter a server certificate with an incomplete chain, and the AIA CA Issuers extension is present (RFC5280), we will attempt to download an Intermediate CA certificate from the specified URL.
If successful, we cache the intermediate certificate for up to 1 week and use it to validate future traffic." *Caveats: The first session will show untrusted until the intermediate certificate(s) have been fetched*

Note:

This feature must be enabled on a Decryption Profile (“Automatically Fetch Intermediate Certificates”)
The intermediate certificate cache itself is only present on firewalls (not Panorama or SCM)
Panorama and SCM can only enable/disable the feature

https://docs.paloaltonetworks.com/ngfw/release-notes/12-1/features-introduced-in-pan-os/decryption-features

Just wanted to relay a bit more information I recently was given. I recently met with a PM over PAN-OS and he shared some things that either are coming or currently exist in the 12.1.2+ code base regarding certificates.

There is a solve coming for root certificates. It was also shared that the existing feature solve for intermediates is also distributed to all other firewalls, in real time, via Panorama (I think SCM as well) when managed by Panorama.

So with these 3 things in place or soon to be I think this issue will be solved for anyone running 12.1.2+

Re: Sectigo Root CA Trusted Store Request

L.Yalezo — Tue, 10 Mar 2026 12:32:19 GMT

Thank you for all this information @Brandon_Wertz