Decryption certificate validation issue

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Decryption certificate validation issue

Hi Guys,

 

I'm experiencing issue where one of the site is not accessible when the decryption profile is enable with no decryption for SSL forward proxy. After disabling the block untrusted issue I'm able to access the  site. 

 

I'm facing this issue in PA 850 Platform PANOS 8.1.8. We have upgraded the PANOS from 8.1.7 to 8.1.8.

Also would like to add the certificate are in default trust certificate store.

site is https://www.axa-portal.com, Have anyone experience this behaviour.

 

Regards

Venky

 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

@Venkatesan_radhakrishnan,

The intermediary cert in that chain is not trusted by default on the firewall; you will need to manually add it and mark it as a trusted certificate to get the website to function with a decryption policy attached. 

View solution in original post

6 REPLIES 6

Cyber Elite
Cyber Elite

@Venkatesan_radhakrishnan,

The intermediary cert in that chain is not trusted by default on the firewall; you will need to manually add it and mark it as a trusted certificate to get the website to function with a decryption policy attached. 

Hi @BPry 

 

Thanks for your reply, I have tried to replicate this issue in my lab. I'm not seeing the same issue. 

 

My lab firewall doesn't have intermediate certificate trusted in default trust store but the website works fine. 

 

Also I'm seeing this error DECRYPT_CERT_VALIDATION only after upgrading from PANOS 8.1.7 to 8.1.8.

Hi @BPry 

 

Thanks for your help, It works after adding certificate and marking it as trusted.

 

Regards
Venky

@BPry 

Is there a better way to proceed than manually adding certs that are missing in the chain?  Or is it just kind of stuck the way it is?  I'm guessing once these certs expire, you either find out the hard way, or monitor the certs in your store to keep an eye on anything getting close to expiration?

@Sec101,

If there is I don't know about it, I believe that you're just kind  of  stuck managing the cert as you would if you had imported your own. The benefit is that usually the big public Certificate authorities will start using a different intermediarry instead of renewing the cert, so you essentially just have to add the new certificate and then remove any that actually expire. 

Ah. I see.  Thank you very much for the insight.  Good to know!

  • 1 accepted solution
  • 5342 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!