AddTrust External CA Root Expired

Community Team Member

Screen Shot 2020-06-05 at 8.11.47 AM.png

 

AddTrust External CA Root Expired and Impacts Decrypted Traffic

 

AddTrust External CA Root expired on May, 30th 2020. As a result, endusers that have a Decryption Profile configured to block sessions with expired certificates will be presented with a certificate error block page when they receive the expired CA certificate in the certificate chain.

 

Decryption Profile showing Block Sessions with Expired Certificates enabledDecryption Profile showing Block Sessions with Expired Certificates enabled

Expired Certificate ErrorExpired Certificate Error

 

Here are two provisional solutions.

 

Solution 1 – Use Predefined URL Categories

This solution uses predefined URL Categories and requires minimal configuration changes. Security Policy ensures that your users remain safe if they visit any malicious websites, and Decryption Policy is configured to selectively ignore the presence of expired CA certificates when accessing certain URL categories, allowing users to access these websites temporarily and helping your business functions resume quickly.

 

Step 1

Palo Alto Networks recommends that you block access to risky URL categories in your Security Policies as outlined in our URL Filtering best practices irrespective of the status of certificates presented by these websites. This key measure significantly reduces the attack surface and prevents users from visiting known-malicious or high-risk URL categories. Please note that these controls apply despite the presence of the expired certificate check within Decryption Policy, which keeps users safe as they browse the internet.

Read more about Transition URL Filtering Profiles Safely to Best Practices.

 

Step 2

Some websites that may be deemed to be business sensitive and are allowed by your Security Policy may use certificates that chain up to this expired root CA. Such websites would be impacted by the application of a Decryption Policy check for expired certificates. To mitigate this, you have the option to configure the Decryption Profile to ignore expired certificates and apply this profile only to predefined URL categories that are deemed necessary for your business.

 

 

Solution 2 – Use Custom URL Categories

This solution is focused on a custom URL Category, which constituent domains are defined by you (as may be dictated by user reports or by business needs) and can be updated by your IT or helpdesk staff. Decryption Policy is configured to ignore the presence of expired CA certificates when accessing domains on this list in the interim.

 

Step 1

Clone the existing Decryption Profile that has ‘Block sessions with expired certificates’ enabled in the web interface by navigating to Objects Decryption Decryption Profile.

 

Step 2

For the newly cloned Decryption Profile, disable ‘Block sessions with expired certificates’ in two locations 

  1. Decryption Profile > SSL Decryption > SSL Forward Proxy tab
  2. Decryption Profile > No Decryption tab

Decryption Profile > SSL Decryption > SSL Forward Proxy tabDecryption Profile > SSL Decryption > SSL Forward Proxy tab

Decryption Profile > No DecryptionDecryption Profile > No Decryption

Step 3 

Create a custom URL category under Objects Custom Objects URL Category and include all the domains that have a valid trust chain but still present the Expired CA Certificates based on enduser reports. 

 

Step 4

Create a new Decryption Policy for the Custom URL category created in Step 3 and set the action to decrypt with Decryption Profile selected like the one created in Step 1. 

 

Step 5

Move the newly created Decryption Policy created in Step 4 to the top or above the current Decryption Policy that blocks sessions with expired certificates. Once this configuration is committed, further changes can be restricted to updates required to the custom URL Category, and the scope of the commit operations can be constrained to the URL Category modifications or to those administrators who will be updating the list.

 

 

Check out the customer advisory for full details about this issue.

NOTE: Please login with your customer account to access the customer advisory area on LIVEcommunity.

 

Thanks for taking time to read the blog.

If you enjoyed this, please hit the Like (thumbs up) button, don't forget to subscribe to the LIVEcommunity Blog.

 

Stay Secure,
Kiwi out!

 
865 Views
Comments
Cyber Elite

Hi @kiwi 

Are there plans to implement a solution in PAN-OS regarding this issue? (I know it's not a PAN-OS issue, but in the OS the firewall would be able to solve the fault of many webserver admins)

680 Views
Community Team Member

Hi @vsys_remo ,

 

I'd recommend checking the Customer Advisory page regularly as the expectation is that the advisory page will be updated as new updates on software solution is solidified.

 

On the same topic, GP connectivity can also be impacted in case GP certificates used in Portal and Gateway configuration are signed by the expired AddTrust CA.  Here's the KB article for the same, please find the link below:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008UHM

 

Hope this is useful.

631 Views
Ask Questions Get Answers Join the Live Community
Labels