topic SSL certificate has expired end date after PA decryption in General Topics https://live.paloaltonetworks.com/t5/general-topics/ssl-certificate-has-expired-end-date-after-pa-decryption/m-p/1254969#M126507 <P>Running into a weird problem with SSL decryption and a vendor's internet certificate that has broken after going through the PaloAlto. An external vendor updated their internet-facing certificate this afternoon and internal users immediately started receiving certificate expired errors. Externally the certificate appears fine, but internally the certificate now has a negative lifespan (expired before the cert was issued). Has anyone seen this before?</P> <P>&nbsp;</P> <P>The cert was issued by Let's Encrypt. Checking externally the cert, it looks good. As far as I can tell the new cert is not revoked. When externally checking the cert I get a lifetime of:</P> <P>260528202420Z -- 260826202419Z</P> <P>&nbsp;</P> <P>However, in the PA ssl-decrypt certificate-cache, and presented to the internal client, it now has a lifetime of:</P> <P>260528202451Z -- 2<STRONG>5</STRONG>0915160000Z</P> <P>&nbsp;</P> <P>...meaning it expired Aug 15 2025, 8 months before it was issued. The certificate-cache CRL status also shows expired, but I am unable to replicate this externally.</P> <P>&nbsp;</P> <P>I have cleared the decrypt cache and retried with the same effect. It seems like this is a PA bug that is breaking certificates? I have recently upgraded to 10.2.16-h8 to fix the various recent CVEs, but not seeing anything in the known issues notes that seems to relate to this.</P> Fri, 29 May 2026 00:21:52 GMT Adrian_Jensen 2026-05-29T00:21:52Z SSL certificate has expired end date after PA decryption https://live.paloaltonetworks.com/t5/general-topics/ssl-certificate-has-expired-end-date-after-pa-decryption/m-p/1254969#M126507 <P>Running into a weird problem with SSL decryption and a vendor's internet certificate that has broken after going through the PaloAlto. An external vendor updated their internet-facing certificate this afternoon and internal users immediately started receiving certificate expired errors. Externally the certificate appears fine, but internally the certificate now has a negative lifespan (expired before the cert was issued). Has anyone seen this before?</P> <P>&nbsp;</P> <P>The cert was issued by Let's Encrypt. Checking externally the cert, it looks good. As far as I can tell the new cert is not revoked. When externally checking the cert I get a lifetime of:</P> <P>260528202420Z -- 260826202419Z</P> <P>&nbsp;</P> <P>However, in the PA ssl-decrypt certificate-cache, and presented to the internal client, it now has a lifetime of:</P> <P>260528202451Z -- 2<STRONG>5</STRONG>0915160000Z</P> <P>&nbsp;</P> <P>...meaning it expired Aug 15 2025, 8 months before it was issued. The certificate-cache CRL status also shows expired, but I am unable to replicate this externally.</P> <P>&nbsp;</P> <P>I have cleared the decrypt cache and retried with the same effect. It seems like this is a PA bug that is breaking certificates? I have recently upgraded to 10.2.16-h8 to fix the various recent CVEs, but not seeing anything in the known issues notes that seems to relate to this.</P> Fri, 29 May 2026 00:21:52 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-certificate-has-expired-end-date-after-pa-decryption/m-p/1254969#M126507 Adrian_Jensen 2026-05-29T00:21:52Z