https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-issue-wrong-certificate/m-p/141347#M48393 <P>@Retired Member&nbsp;ok with firefox l am not even able to open this website. Chrome also is not complaining:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Chrome.PNG" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/7652i60B0885AC913BB89/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Chrome.PNG" alt="Chrome.PNG" /></span></P><P>I am new to SSL so if you can let me know what is actually happening with the server cert l will&nbsp;appreciate:0</P><P>&nbsp;</P><P>Thx,</P><P>Myky</P> Mon, 06 Feb 2017 19:28:36 GMT TranceforLife 2017-02-06T19:28:36Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-issue-wrong-certificate/m-p/141302#M48382 <P>Hi All,</P><P>&nbsp;</P><P>Having SSL Decryption issue with one of the websites at the moment (<A href="https://wiki.freeradius.org/Home" target="_blank">https://wiki.freeradius.org/Home</A>)</P><P>So testing without decryption and checking certs chain:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PA1.PNG" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/7642i29B1544C319D4CA8/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="PA1.PNG" alt="PA1.PNG" /></span></P><P>&nbsp;</P><P>Can see root CA on Palo:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PA2.PNG" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/7643i0E53B504169B5B29/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="PA2.PNG" alt="PA2.PNG" /></span></P><P>&nbsp;</P><P>So all looks good. Implementing SSL Decryption (test version only) with two certs generated on PA one for forward trust another is for forward untrust:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CERTS.PNG" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/7644i1182B62CE4990A62/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="CERTS.PNG" alt="CERTS.PNG" /></span></P><P>&nbsp;</P><P>Doing a test with some websites reviewing a forward trust cert. As an example bbc.co.uk:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="BBC.PNG" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/7645iCFD0AB8429E88D52/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="BBC.PNG" alt="BBC.PNG" /></span></P><P>&nbsp;</P><P>l didn't&nbsp;import cert to the test PC as want to confirm first everything is working fine.</P><P>Done another test with the&nbsp;websites which allow&nbsp;decryption all looks good correct cert is forwarded. But for the website&nbsp;<SPAN><A href="https://wiki.freeradius.org/Home" target="_blank">https://wiki.freeradius.org/Home</A> getting the wrong cert which is forward untrust:</SPAN></P><P>&nbsp;</P><P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PA3.PNG" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/7647i04941071F004210A/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="PA3.PNG" alt="PA3.PNG" /></span></SPAN></P><P>&nbsp;</P><P><SPAN>Don't know why. Cache is cleared, and the new cert is recreated for untrust but still the same.&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN>PA-5050 Active/Active PAN-OS 7.1.5</SPAN></P><P>&nbsp;</P><P><SPAN>Am l missing something simple?</SPAN></P><P>&nbsp;</P><P><SPAN>Regards,</SPAN></P><P><SPAN>Myky</SPAN></P> Mon, 06 Feb 2017 19:05:25 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-issue-wrong-certificate/m-p/141302#M48382 TranceforLife 2017-02-06T19:05:25Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-issue-wrong-certificate/m-p/141338#M48388 <P>Check the results there is your answer:</P><P><A href="https://www.ssllabs.com/ssltest/analyze.html?d=wiki.freeradius.org&amp;hideResults=on" target="_blank">https://www.ssllabs.com/ssltest/analyze.html?d=wiki.freeradius.org&amp;hideResults=on</A></P><P>&nbsp;</P> Mon, 06 Feb 2017 19:09:29 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-issue-wrong-certificate/m-p/141338#M48388 Retired Member 2017-02-06T19:09:29Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-issue-wrong-certificate/m-p/141341#M48389 <P>I'm not certain, but this might be caused by an incomplete certificate chain (per ssllabs.com):</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="cert.png" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/7650i12964AAA1792E75B/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="cert.png" alt="cert.png" /></span></P><P>&nbsp;</P><P>The traffic log complains about cert-validation as well:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="traffic.png" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/7651i7864363C2904FB5E/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="traffic.png" alt="traffic.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P><A href="https://www.ssllabs.com/ssltest/analyze.html?d=wiki.freeradius.org" target="_blank">https://www.ssllabs.com/ssltest/analyze.html?d=wiki.freeradius.org</A></P><P>&nbsp;</P><P>&nbsp;</P> Mon, 06 Feb 2017 19:12:02 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-issue-wrong-certificate/m-p/141341#M48389 jvalentine 2017-02-06T19:12:02Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-issue-wrong-certificate/m-p/141343#M48391 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/22017">@jvalentine</a>&nbsp;@Retired Member&nbsp;thanks all. Looks like&nbsp;l missing something simple. Why the&nbsp;web-browser is not complaining without ssl&nbsp;decryption in place?</P> Mon, 06 Feb 2017 19:17:14 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-issue-wrong-certificate/m-p/141343#M48391 TranceforLife 2017-02-06T19:17:14Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-issue-wrong-certificate/m-p/141344#M48392 <P>Its because you use IE.</P><P>IE wil try to dowload the missing certificates in the chain.</P><P>Try firefox and&nbsp;it will complain.</P> Mon, 06 Feb 2017 19:20:01 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-issue-wrong-certificate/m-p/141344#M48392 Retired Member 2017-02-06T19:20:01Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-issue-wrong-certificate/m-p/141347#M48393 <P>@Retired Member&nbsp;ok with firefox l am not even able to open this website. Chrome also is not complaining:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Chrome.PNG" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/7652i60B0885AC913BB89/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Chrome.PNG" alt="Chrome.PNG" /></span></P><P>I am new to SSL so if you can let me know what is actually happening with the server cert l will&nbsp;appreciate:0</P><P>&nbsp;</P><P>Thx,</P><P>Myky</P> Mon, 06 Feb 2017 19:28:36 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-issue-wrong-certificate/m-p/141347#M48393 TranceforLife 2017-02-06T19:28:36Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-issue-wrong-certificate/m-p/141350#M48395 <P>Its not a problem of the PA or your decryption settings.</P><P>&nbsp;</P><P>The website certificate is incorrect configured, the intermediate certificates are missing.</P><P>Thats why the PA sends the "not trusted" certificate to your browser.</P> Mon, 06 Feb 2017 19:40:56 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-issue-wrong-certificate/m-p/141350#M48395 Retired Member 2017-02-06T19:40:56Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-issue-wrong-certificate/m-p/141358#M48396 <P>Hi&nbsp;@Retired Member</P><P>&nbsp;</P><P>Ok cool as you said before IE and Chrome will ignore this, right? As long as it has a root CA.</P><P>&nbsp;</P><P>Thx,</P><P>Myky</P> Mon, 06 Feb 2017 19:36:50 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-issue-wrong-certificate/m-p/141358#M48396 TranceforLife 2017-02-06T19:36:50Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-issue-wrong-certificate/m-p/141360#M48397 <P>Yes, &nbsp;Chrome(uses the windows&nbsp;cert store)&nbsp;and IE will try to download the intermediate certs as long as they have a valid root CA in their certificate store.</P> Mon, 06 Feb 2017 19:40:34 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-issue-wrong-certificate/m-p/141360#M48397 Retired Member 2017-02-06T19:40:34Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-issue-wrong-certificate/m-p/141362#M48399 <P>Cool l have learned&nbsp;something new today. Thanks/ Last thing Do you have any good&nbsp;article explaining this?</P><P>&nbsp;</P><P>Thx,</P><P>Myky</P> Mon, 06 Feb 2017 19:53:37 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-issue-wrong-certificate/m-p/141362#M48399 TranceforLife 2017-02-06T19:53:37Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-issue-wrong-certificate/m-p/141375#M48404 <P>Your welcome.</P><P>I don't have documentation on this issue specific.&nbsp; (&nbsp;its all in my head <span class="lia-unicode-emoji" title=":winking_face:">😉</span> )</P> Mon, 06 Feb 2017 20:06:44 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-issue-wrong-certificate/m-p/141375#M48404 Retired Member 2017-02-06T20:06:44Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-issue-wrong-certificate/m-p/141542#M48419 <P>To fix the issue for this particular website l did import a&nbsp;COMODORSADomainValidationSecureServerCA.crt&nbsp;to the box:</P><P>&nbsp;</P><P><A href="https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Import-the-Intermediate-CA-on-the-Firewall/ta-p/52196" target="_blank">https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Import-the-Intermediate-CA-on-the-Firewall/ta-p/52196</A></P><P>&nbsp;</P><P>&nbsp;</P> Tue, 07 Feb 2017 13:26:10 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-issue-wrong-certificate/m-p/141542#M48419 TranceforLife 2017-02-07T13:26:10Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-issue-wrong-certificate/m-p/141546#M48420 <P>In my opinion is importing the intermediate certificate in this situation wrong.</P><P>The behaviour was as expected and correct.</P><P>&nbsp;</P><P>With this "fix", you are covering a warning that the site is misconfigured.</P> Tue, 07 Feb 2017 13:53:09 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-issue-wrong-certificate/m-p/141546#M48420 Retired Member 2017-02-07T13:53:09Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-issue-wrong-certificate/m-p/141569#M48424 <P>I do agree with you as really&nbsp;it is a &nbsp;"masquerading" of the problem.&nbsp;</P> Tue, 07 Feb 2017 14:03:22 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-issue-wrong-certificate/m-p/141569#M48424 TranceforLife 2017-02-07T14:03:22Z