AddTrust External CA Root Expired and Impacts Decrypted Traffic
AddTrust External CA Root expired on May, 30th 2020. As a result, endusers that have a Decryption Profile configured to block sessions with expired certificates will be presented with a certificate error block page when they receive the expired CA certificate in the certificate chain.
Decryption Profile showing Block Sessions with Expired Certificates enabled
Expired Certificate Error
Here are two provisional solutions.
Solution 1 – Use Predefined URL Categories
This solution uses predefined URL Categories and requires minimal configuration changes. Security Policy ensures that your users remain safe if they visit any malicious websites, and Decryption Policy is configured to selectively ignore the presence of expired CA certificates when accessing certain URL categories, allowing users to access these websites temporarily and helping your business functions resume quickly.
Palo Alto Networks recommends that you block access to risky URL categories in your Security Policies as outlined in our URL Filtering best practices irrespective of the status of certificates presented by these websites. This key measure significantly reduces the attack surface and prevents users from visiting known-malicious or high-risk URL categories. Please note that these controls apply despite the presence of the expired certificate check within Decryption Policy, which keeps users safe as they browse the internet.
Some websites that may be deemed to be business sensitive and are allowed by your Security Policy may use certificates that chain up to this expired root CA. Such websites would be impacted by the application of a Decryption Policy check for expired certificates. To mitigate this, you have the option to configure the Decryption Profile to ignore expired certificates and apply this profile only to predefined URL categories that are deemed necessary for your business.
Solution 2 – Use Custom URL Categories
This solution is focused on a custom URL Category, which constituent domains are defined by you (as may be dictated by user reports or by business needs) and can be updated by your IT or helpdesk staff. Decryption Policy is configured to ignore the presence of expired CA certificates when accessing domains on this list in the interim.
Clone the existing Decryption Profile that has ‘Block sessions with expired certificates’ enabled in the web interface by navigating to Objects > Decryption > Decryption Profile.
For the newly cloned Decryption Profile, disable ‘Block sessions with expired certificates’ in two locations 😞
Create a custom URL category under Objects > Custom Objects > URL Category and include all the domains that have a valid trust chain but still present the Expired CA Certificates based on enduser reports.
Create a new Decryption Policy for the Custom URL category created in Step 3 and set the action to decrypt with Decryption Profile selected like the one created in Step 1.
Move the newly created Decryption Policy created in Step 4 to the top or above the current Decryption Policy that blocks sessions with expired certificates. Once this configuration is committed, further changes can be restricted to updates required to the custom URL Category, and the scope of the commit operations can be constrained to the URL Category modifications or to those administrators who will be updating the list.