https://live.paloaltonetworks.com/t5/general-topics/decryption-certificate-validation-issue/m-p/276998#M75402 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;</P><P>&nbsp;</P><P>Thanks for your help, It works after adding certificate and marking it as trusted.</P><P>&nbsp;</P><P>Regards<BR />Venky</P> Wed, 17 Jul 2019 10:41:03 GMT Venkatesan_radhakrishnan 2019-07-17T10:41:03Z https://live.paloaltonetworks.com/t5/general-topics/decryption-certificate-validation-issue/m-p/276646#M75367 <P>Hi Guys,</P><P>&nbsp;</P><P>I'm experiencing issue where one of the site is not accessible when the decryption profile is enable with no decryption for SSL forward proxy. After disabling the block untrusted issue I'm able to access the&nbsp; site.&nbsp;</P><P>&nbsp;</P><P>I'm facing this issue in PA 850 Platform PANOS 8.1.8. We have upgraded the PANOS from 8.1.7 to 8.1.8.</P><P>Also would like to add the certificate are in default trust certificate store.</P><P>site is <A href="https://www.axa-portal.com" target="_blank">https://www.axa-portal.com</A>, Have anyone experience this behaviour.</P><P>&nbsp;</P><P>Regards</P><P>Venky</P><P>&nbsp;</P> Mon, 15 Jul 2019 17:58:03 GMT https://live.paloaltonetworks.com/t5/general-topics/decryption-certificate-validation-issue/m-p/276646#M75367 Venkatesan_radhakrishnan 2019-07-15T17:58:03Z https://live.paloaltonetworks.com/t5/general-topics/decryption-certificate-validation-issue/m-p/276668#M75369 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/97701">@Venkatesan_radhakrishnan</a>,</P><P>The intermediary cert in that chain is not trusted by default on the firewall; you will need to manually add it and mark it as a trusted certificate to get the website to function with a decryption policy attached.&nbsp;</P> Mon, 15 Jul 2019 20:13:51 GMT https://live.paloaltonetworks.com/t5/general-topics/decryption-certificate-validation-issue/m-p/276668#M75369 BPry 2019-07-15T20:13:51Z https://live.paloaltonetworks.com/t5/general-topics/decryption-certificate-validation-issue/m-p/276720#M75373 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;</P><P>&nbsp;</P><P>Thanks for your reply, I have tried to replicate this issue in my lab. I'm not seeing the same issue.&nbsp;</P><P>&nbsp;</P><P>My lab firewall doesn't have intermediate certificate trusted in default trust store but the website works fine.&nbsp;</P><P>&nbsp;</P><P>Also I'm seeing this error DECRYPT_CERT_VALIDATION only after upgrading from PANOS 8.1.7 to 8.1.8.</P> Tue, 16 Jul 2019 06:01:48 GMT https://live.paloaltonetworks.com/t5/general-topics/decryption-certificate-validation-issue/m-p/276720#M75373 Venkatesan_radhakrishnan 2019-07-16T06:01:48Z https://live.paloaltonetworks.com/t5/general-topics/decryption-certificate-validation-issue/m-p/276998#M75402 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;</P><P>&nbsp;</P><P>Thanks for your help, It works after adding certificate and marking it as trusted.</P><P>&nbsp;</P><P>Regards<BR />Venky</P> Wed, 17 Jul 2019 10:41:03 GMT https://live.paloaltonetworks.com/t5/general-topics/decryption-certificate-validation-issue/m-p/276998#M75402 Venkatesan_radhakrishnan 2019-07-17T10:41:03Z https://live.paloaltonetworks.com/t5/general-topics/decryption-certificate-validation-issue/m-p/277085#M75411 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;</P><P>Is there a better way to proceed than manually adding certs that are missing in the chain?&nbsp; Or is it just kind of stuck the way it is?&nbsp; I'm guessing once these certs expire, you either find out the hard way, or monitor the certs in your store to keep an eye on anything getting close to expiration?</P> Wed, 17 Jul 2019 17:03:23 GMT https://live.paloaltonetworks.com/t5/general-topics/decryption-certificate-validation-issue/m-p/277085#M75411 Sec101 2019-07-17T17:03:23Z https://live.paloaltonetworks.com/t5/general-topics/decryption-certificate-validation-issue/m-p/277086#M75412 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/59122">@Sec101</a>,</P><P>If there is I don't know about it, I believe that you're just kind&nbsp; of&nbsp; stuck managing the cert as you would if you had imported your own. The benefit is that usually the big public Certificate authorities will start using a different intermediarry instead of renewing the cert, so you essentially just have to add the new certificate and then remove any that actually expire.&nbsp;</P> Wed, 17 Jul 2019 17:08:32 GMT https://live.paloaltonetworks.com/t5/general-topics/decryption-certificate-validation-issue/m-p/277086#M75412 BPry 2019-07-17T17:08:32Z https://live.paloaltonetworks.com/t5/general-topics/decryption-certificate-validation-issue/m-p/277088#M75414 <P>Ah. I see.&nbsp; Thank you very much for the insight.&nbsp; Good to know!</P> Wed, 17 Jul 2019 17:12:13 GMT https://live.paloaltonetworks.com/t5/general-topics/decryption-certificate-validation-issue/m-p/277088#M75414 Sec101 2019-07-17T17:12:13Z