https://live.paloaltonetworks.com/t5/general-topics/ssl-inspection-fails-even-after-intermediate-ca-imported/m-p/335388#M84521 <P>This is a known issue with the COMODO (now Sectigo) and some RSA certs</P><P>&nbsp;</P><P>Details and work-arounds can be found here:</P><P><A href="https://live.paloaltonetworks.com/t5/general-topics/sectigo-ca-chain-decryption-issues/td-p/330802" target="_blank" rel="noopener">https://live.paloaltonetworks.com/t5/general-topics/sectigo-ca-chain-decryption-issues/td-p/330802</A></P><P>&nbsp;</P><P>Also, I think this may be a "fix" in the latest PANOS: PAN-148068</P><P>&nbsp;</P><TABLE><TBODY><TR><TD><DIV><DIV class="p"><DIV><DIV>PAN-148068</DIV></DIV></DIV></DIV></TD><TD><DIV><DIV class="p"><DIV>Fixed an issue where SSL connections were blocked if you enabled decryption with the option to block sessions that have expired certificates. This issue included servers that sent an expired AddTrust certificate authority (CA) in the certificate chain.</DIV></DIV></DIV></TD></TR></TBODY></TABLE><P>&nbsp;</P><P>&nbsp;</P> Thu, 25 Jun 2020 18:11:01 GMT shawnhafen 2020-06-25T18:11:01Z https://live.paloaltonetworks.com/t5/general-topics/ssl-inspection-fails-even-after-intermediate-ca-imported/m-p/335348#M84520 <P>I have imported the intermediate CA, from 'Sectigo RSA Domain Validation Secure Server CA' and root CA '<SPAN class="info">USERTrust RSA Certification Authority</SPAN>' is already there on firewall default, but still outbound decryption fails.</P><P><A href="https://nvdpl.ca" target="_blank" rel="noopener">https://nvdpl.ca</A></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26420i9C3C43B7066EF8A6/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P><P>&nbsp;</P><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 691px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26421iF04FF9746EFE5457/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> Thu, 25 Jun 2020 15:54:15 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-inspection-fails-even-after-intermediate-ca-imported/m-p/335348#M84520 raji_toor 2020-06-25T15:54:15Z https://live.paloaltonetworks.com/t5/general-topics/ssl-inspection-fails-even-after-intermediate-ca-imported/m-p/335388#M84521 <P>This is a known issue with the COMODO (now Sectigo) and some RSA certs</P><P>&nbsp;</P><P>Details and work-arounds can be found here:</P><P><A href="https://live.paloaltonetworks.com/t5/general-topics/sectigo-ca-chain-decryption-issues/td-p/330802" target="_blank" rel="noopener">https://live.paloaltonetworks.com/t5/general-topics/sectigo-ca-chain-decryption-issues/td-p/330802</A></P><P>&nbsp;</P><P>Also, I think this may be a "fix" in the latest PANOS: PAN-148068</P><P>&nbsp;</P><TABLE><TBODY><TR><TD><DIV><DIV class="p"><DIV><DIV>PAN-148068</DIV></DIV></DIV></DIV></TD><TD><DIV><DIV class="p"><DIV>Fixed an issue where SSL connections were blocked if you enabled decryption with the option to block sessions that have expired certificates. This issue included servers that sent an expired AddTrust certificate authority (CA) in the certificate chain.</DIV></DIV></DIV></TD></TR></TBODY></TABLE><P>&nbsp;</P><P>&nbsp;</P> Thu, 25 Jun 2020 18:11:01 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-inspection-fails-even-after-intermediate-ca-imported/m-p/335388#M84521 shawnhafen 2020-06-25T18:11:01Z