https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-troubleshooting-decrypt-cert-validation/m-p/232742#M66768 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/40971">@SShnap</a>,</P><P>The default list is generally refreshed during major software updates on the firewall. For the certificates that you have to manually upload on the firewall you essentially have to manage them; so updating them as they expire, deleting them when no longer needed, deleting any that you no longer considered a trusted source, all falls on you to manage.&nbsp;</P> Thu, 27 Sep 2018 15:51:06 GMT BPry 2018-09-27T15:51:06Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-troubleshooting-decrypt-cert-validation/m-p/232591#M66717 <P>I have been working with SSL decryption over 4 month on testing team.</P><P>&nbsp;</P><P>Most of the traffic is OK but I see some of the traffic are being Aged-Out and some&nbsp;and decrypt-cert-validation as the&nbsp;session end reason.</P><P>&nbsp;</P><P>Tried to do packet capture without seeing the reason it being blocked.</P><P>&nbsp;</P><P>The end user receive the error:&nbsp; "There is an issue with the SSL certificate of the server you are trying to contact."</P><P>&nbsp;</P><P>The certificate on the original site look OK from comodo and it's valid and the sites are legit.</P><P>&nbsp;</P><P>Hope the screenshots from packet captuering will be helpful for discovering the problem.</P><P>&nbsp;</P><P>Thank you for the help.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2018_09_26_14_53_27_Certificate_Error.jpg" style="width: 740px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/16803i1D56317DE204449D/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="2018_09_26_14_53_27_Certificate_Error.jpg" alt="2018_09_26_14_53_27_Certificate_Error.jpg" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2018-09-26 14_57_38-trs.pcap.jpg" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/16804i8A975B535F8AEF6A/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="2018-09-26 14_57_38-trs.pcap.jpg" alt="2018-09-26 14_57_38-trs.pcap.jpg" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2018-09-26 14_56_41-rcv (2).pcap.jpg" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/16805iA268AFA1718E808F/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="2018-09-26 14_56_41-rcv (2).pcap.jpg" alt="2018-09-26 14_56_41-rcv (2).pcap.jpg" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2018-09-26 14_55_59-fw (2).pcap.jpg" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/16806iFF31E5A4044CB0E2/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="2018-09-26 14_55_59-fw (2).pcap.jpg" alt="2018-09-26 14_55_59-fw (2).pcap.jpg" /></span></P> Wed, 26 Sep 2018 22:01:12 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-troubleshooting-decrypt-cert-validation/m-p/232591#M66717 SShnap 2018-09-26T22:01:12Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-troubleshooting-decrypt-cert-validation/m-p/232626#M66726 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/40971">@SShnap</a>,</P><P>This is due to the firewall not trusting the entire certificate chain, or the site not presenting the entire certificate chain. If you look at the entire chain on a PC that is not being decrypted so that you can get the entire chain, then verify that the firewall actually trusts the Root and Intermidate CAs. If not, follow the instructions <A href="https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Import-the-Intermediate-CA-on-the-Firewall/ta-p/52196" target="_self">HERE&nbsp;</A></P> Thu, 27 Sep 2018 01:08:02 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-troubleshooting-decrypt-cert-validation/m-p/232626#M66726 BPry 2018-09-27T01:08:02Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-troubleshooting-decrypt-cert-validation/m-p/232741#M66767 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;Thank you for the fast response.</P><P>&nbsp;</P><P>when I saw the error I checked the COMODO cert in on Default Trusted Certificate Authorities list on the firewall.</P><P>&nbsp;</P><P>Thank you it's working now.</P><P>&nbsp;</P><P>Do you know if that list of Default Trusted Certificate Authorities get updated by Palo Alto? so in the future I will be able to remove the cert I added manually?</P> Thu, 27 Sep 2018 15:48:01 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-troubleshooting-decrypt-cert-validation/m-p/232741#M66767 SShnap 2018-09-27T15:48:01Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-troubleshooting-decrypt-cert-validation/m-p/232742#M66768 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/40971">@SShnap</a>,</P><P>The default list is generally refreshed during major software updates on the firewall. For the certificates that you have to manually upload on the firewall you essentially have to manage them; so updating them as they expire, deleting them when no longer needed, deleting any that you no longer considered a trusted source, all falls on you to manage.&nbsp;</P> Thu, 27 Sep 2018 15:51:06 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-troubleshooting-decrypt-cert-validation/m-p/232742#M66768 BPry 2018-09-27T15:51:06Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-troubleshooting-decrypt-cert-validation/m-p/232743#M66769 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp; So I need to downlaod from each well-known cert vendors and upload them the same way to avoid future ssl decryption failures like that.</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 27 Sep 2018 15:54:26 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-troubleshooting-decrypt-cert-validation/m-p/232743#M66769 SShnap 2018-09-27T15:54:26Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-troubleshooting-decrypt-cert-validation/m-p/232774#M66778 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/40971">@SShnap</a>,</P><P>I generally only recommend folks add the certificates they actually need. As you run into the issue then upload the cert and trust it.&nbsp;</P> Thu, 27 Sep 2018 17:40:11 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-troubleshooting-decrypt-cert-validation/m-p/232774#M66778 BPry 2018-09-27T17:40:11Z