https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-issues-macos-big-sur-11-2-3/m-p/406181#M92070 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;this is exactly what I was but in Chrome it shows the Root CA then the Subordinate CA and then the real website cert.&nbsp; The root CA shows "Trusted" when you click on it in the chain.&nbsp; We even imported the Subordinate CA as a test, trusted it, and still no luck.&nbsp; I'm at a loss because in my mind this should just work and does work with Windows 10 machines.</P> Tue, 11 May 2021 18:28:44 GMT mlinsemier 2021-05-11T18:28:44Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-issues-macos-big-sur-11-2-3/m-p/405878#M92051 <P>We have had SSL decryption configured since we deployed Palo Alto firewalls and it works with little issue on our Windows OS platforms. We have a new project to deploy a few MacOS clients as the application development team requires the ability to test Safari browsing of some web apps.&nbsp; Our internal Root CA has been imported into the keychain and set to "Trust Always" however Safari nor Google Chrome are able to successfully browse websites over SSL.&nbsp; We either receive the "weak cipher" popup screen or the "invalid certificate" showing our subordinate as untrusted (even though it is signed by the internal Root CA shown as trusted).&nbsp; If we disable decryption traffic passes as normal so we know that its related to this function.&nbsp; Another issue is that I am not as Mac savvy as I used to be and desktop support knows equal or less than myself (as we just don't have a lot of Macs).&nbsp;&nbsp;</P><P>&nbsp;</P><P>Websites Tested: Google, Engadget, CNN</P><P>Client OS: MacOS BigSur 11.2.3</P><P>PAN-OS: 10.0.5</P><P>Decryption Profile</P><UL><LI>SSL Forward Proxy - Append certificate's CN value to SAN extension, Strip ALPN</LI><LI>SSL Protocol Settings: Min Version: TLS1.0, Max Version: Max</LI></UL><P>&nbsp;</P><P>Tested without stripping ALPN, Tested with TLS1.2 as Max Version, Tested removing Appending the certificates CN, and all no go.&nbsp; Is there some magic client checkbox I'm missing in the MacOS?&nbsp; I feel like its MacOS specific as it works with Windows 10 on thousands of clients.&nbsp; Any help would be greatly appreciated.</P><P>&nbsp;</P><P>-Matt</P> Mon, 10 May 2021 21:55:35 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-issues-macos-big-sur-11-2-3/m-p/405878#M92051 mlinsemier 2021-05-10T21:55:35Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-issues-macos-big-sur-11-2-3/m-p/406091#M92066 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7143">@mlinsemier</a>,</P> <P>When you are in your browser, do you see the entire chain when you view the certificate or are you seeing&nbsp;<EM>just&nbsp;</EM>your subordinate CA listed? If you aren't seeing the root cert in the chain, macOS isn't going to trust your subordinate CA. Sounds like your decryption certificate doesn't include the full cert chain.&nbsp;</P> Tue, 11 May 2021 14:20:20 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-issues-macos-big-sur-11-2-3/m-p/406091#M92066 BPry 2021-05-11T14:20:20Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-issues-macos-big-sur-11-2-3/m-p/406181#M92070 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;this is exactly what I was but in Chrome it shows the Root CA then the Subordinate CA and then the real website cert.&nbsp; The root CA shows "Trusted" when you click on it in the chain.&nbsp; We even imported the Subordinate CA as a test, trusted it, and still no luck.&nbsp; I'm at a loss because in my mind this should just work and does work with Windows 10 machines.</P> Tue, 11 May 2021 18:28:44 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-issues-macos-big-sur-11-2-3/m-p/406181#M92070 mlinsemier 2021-05-11T18:28:44Z