https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-presenting-untrusted-certificate-for-certain-site/m-p/93555#M43881 <P>Palo Alto have certificate store and in that store we keep root CA certs. The Root CA of the website that you are visiting is not there in the store that's why you are getting that untrusted &nbsp;cert. If you google for the root ca usertrust RSA certification authority you will find people are complaining about the cert.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="mRemoteNG_2016-07-03_01-07-55.png" style="width: 549px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/4611i1D22870DE21366FF/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="mRemoteNG_2016-07-03_01-07-55.png" alt="mRemoteNG_2016-07-03_01-07-55.png" /></span></P> Sun, 03 Jul 2016 08:17:08 GMT pankaku 2016-07-03T08:17:08Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-presenting-untrusted-certificate-for-certain-site/m-p/93475#M43878 <P>Can somebody explain why the PA is presenting the untrusted certificate when browsing to&nbsp;<A href="https://community.mcafee.com" target="_blank">https://community.mcafee.com</A> ?</P><P>&nbsp;</P><P>So far all of the other HTTPS sites that I've tested have worked perfectly. &nbsp;This is on 7.1.3.</P><P>&nbsp;</P><P>I opened a ticket with PAN and the tech said it's because the PAN doesn't trust some of the CA's used by that site's certificate, but I'm confused why the browsers trust it then?</P><P>&nbsp;</P><P>Thanks.</P> Fri, 01 Jul 2016 18:01:07 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-presenting-untrusted-certificate-for-certain-site/m-p/93475#M43878 Jsitter 2016-07-01T18:01:07Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-presenting-untrusted-certificate-for-certain-site/m-p/93555#M43881 <P>Palo Alto have certificate store and in that store we keep root CA certs. The Root CA of the website that you are visiting is not there in the store that's why you are getting that untrusted &nbsp;cert. If you google for the root ca usertrust RSA certification authority you will find people are complaining about the cert.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="mRemoteNG_2016-07-03_01-07-55.png" style="width: 549px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/4611i1D22870DE21366FF/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="mRemoteNG_2016-07-03_01-07-55.png" alt="mRemoteNG_2016-07-03_01-07-55.png" /></span></P> Sun, 03 Jul 2016 08:17:08 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-presenting-untrusted-certificate-for-certain-site/m-p/93555#M43881 pankaku 2016-07-03T08:17:08Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-presenting-untrusted-certificate-for-certain-site/m-p/232483#M66679 <P>Sorry for bringing up an old post, but this came up in my search and I just wanted to add to the explanation here.</P><P>&nbsp;</P><P>You can test the SSL certificate for any site here:&nbsp; <A href="https://www.ssllabs.com/ssltest/analyze.html" target="_self">https://www.ssllabs.com/ssltest/analyze.html</A>.&nbsp; If the Certification Paths indicates that one of the certificates required an "extra download", then that is an indication that the remote site did not properly include all certificates in the chain in their SSL Handshake.&nbsp;</P><P>&nbsp;</P><P>For example, I was having problems with <A href="https://www.cisco-global-returns.com" target="_self">https://www.cisco-global-returns.com</A>.</P><P>&nbsp;</P><P>In the Certification Paths section, we can see that the server did not provide the full certificate chain as it should (Sent by server).&nbsp; You can see that the certificate USERTrust RSA Certification Authority was not sent by the server, so the testing site had to download the certificate.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Snag_5029ba8.png" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/16793iC22A468A0D5E260D/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Snag_5029ba8.png" alt="Snag_5029ba8.png" /></span></P><P>&nbsp;</P><P>While this is technically a problem with the configuration at the remote site, users will be frustrated that the site works properly when browsed from networks not under Palo Alto SSL Decryption.&nbsp; To work around this problem, you can import the missing Intermediate certificate into your firewall.&nbsp; Note however, that you will now take responsibility for ensuring that the certificate you just imported has not been revoked, so use your best judgement here.</P><P>&nbsp;</P><P>Directions for importing an Intermediate Cert:&nbsp; <A href="https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Import-the-Intermediate-CA-on-the-Firewall/ta-p/52196" target="_self">https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Import-the-Intermediate-CA-on-the-Firewall/ta-p/52196</A></P><P>&nbsp;</P><P>&nbsp;</P> Wed, 26 Sep 2018 16:26:27 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-presenting-untrusted-certificate-for-certain-site/m-p/232483#M66679 svintinner 2018-09-26T16:26:27Z