DigiCert High Assurance EV Root CA Intermediate Certificate

Created On 09/25/18 19:49 PM - Last Modified 07/19/22 23:07 PM

Symptom

Symptoms

When decryption is enabled on the Palo Alto Networks firewall, the end user might be presented with a forward untrust certificate from the Palo Alto Networks firewall. Normally, we'd expect to see the forward trust certificate for DigiCert High Assurance EV Root CA intermediate certificate used on the end server that is being accessed by the user.

Diagnosis

Use the links Test tool 1 and Test tool 2 to know if the intermediate DigiCert High Assurance EV Root CA is supported by your browser. The Palo Alto Networks firewall should the forward trust certificate to the end user for these test tools.

Resolution

Security Certificate Errors

DigiCert SSL certificates expiring after January 2011 are issued from a 2048 bit certificate path. The Root Certificate in this path is titled "DigiCert High Assurance EV Root CA" and is already trusted by all modern browsers (Internet Explorer, Firefox, Safari, Opera, Chrome, etc.)

To maintain widespread compatibility with older browsers and some mobile devices, DigiCert provides a Cross-Signed Intermediate Certificate which enables legacy devices to follow the intermediate certificate chain to the "Entrust.net Secure Server Certification Authority" Root Certificate. This Cross-Signed certificate appears in your Intermediate Certification Authorities certificates store in Windows. Its Subject is "DigiCert High Assurance EV Root CA" and its Issuer is "Entrust.net Secure Server Certification Authority."

Update the end user's browser.
Check if there is any difference between the intermediate DigiCert High Assurance EV Root CA presented by the server/website and the same certificate present in the Device > Certificate Management > Certificates > Default Trusted Certificate Authorities

DigiCert High Assurance EV Root CA Intermediate Certificate

Symptom

Symptoms

Diagnosis

Resolution

Other users also viewed: