Decryption certificate validation issue

Reply
Highlighted

Decryption certificate validation issue

Hi Guys,

 

I'm experiencing issue where one of the site is not accessible when the decryption profile is enable with no decryption for SSL forward proxy. After disabling the block untrusted issue I'm able to access the  site. 

 

I'm facing this issue in PA 850 Platform PANOS 8.1.8. We have upgraded the PANOS from 8.1.7 to 8.1.8.

Also would like to add the certificate are in default trust certificate store.

site is https://www.axa-portal.com, Have anyone experience this behaviour.

 

Regards

Venky

 

L7 Applicator

Re: Decryption certificate validation issue

@Venkatesan_radhakrishnan,

The intermediary cert in that chain is not trusted by default on the firewall; you will need to manually add it and mark it as a trusted certificate to get the website to function with a decryption policy attached. 

Re: Decryption certificate validation issue

Hi @BPry 

 

Thanks for your reply, I have tried to replicate this issue in my lab. I'm not seeing the same issue. 

 

My lab firewall doesn't have intermediate certificate trusted in default trust store but the website works fine. 

 

Also I'm seeing this error DECRYPT_CERT_VALIDATION only after upgrading from PANOS 8.1.7 to 8.1.8.

Re: Decryption certificate validation issue

Hi @BPry 

 

Thanks for your help, It works after adding certificate and marking it as trusted.

 

Regards
Venky

L4 Transporter

Re: Decryption certificate validation issue

@BPry 

Is there a better way to proceed than manually adding certs that are missing in the chain?  Or is it just kind of stuck the way it is?  I'm guessing once these certs expire, you either find out the hard way, or monitor the certs in your store to keep an eye on anything getting close to expiration?

L7 Applicator

Re: Decryption certificate validation issue

@Sec101,

If there is I don't know about it, I believe that you're just kind  of  stuck managing the cert as you would if you had imported your own. The benefit is that usually the big public Certificate authorities will start using a different intermediarry instead of renewing the cert, so you essentially just have to add the new certificate and then remove any that actually expire. 

L4 Transporter

Re: Decryption certificate validation issue

Ah. I see.  Thank you very much for the insight.  Good to know!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!