new CA Sectigo(formerly Comodo) not trusted

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L2 Linker

new CA Sectigo(formerly Comodo) not trusted

Hello. 

We are having a minor issues on one of our customer firewalls performing decryption. 

it seems certain sites. that have a certificate issued by sectigo. 
chain

root: Sectigo

intermediate: Sectigo RSA Domain Validation Secure Server CA

site certificate.

 

I believe the root cause of this is the fact that this CA used to be called Comodo( for which there are default trusted certificates in the palo) has been renamed to Sectigo. and I believe new certificates are issued under the new name. 

This got me wondering: how does palo alto determine the Trusted CA list, how often is it updated and how is this new list pushed to the palo alto( as there is no way to force an update I assume it is only updated when upgrading ot a later hotfix or version?)


I'm testing if this is indeed the root cause however I suspect it is. 

users having the issue with the site receive a page stating: 

issuer: Sectigo RSA Domain Validation Secure Server CA

status: untrusted

reason: <blanc>

 

and as a best practice we have the option to block untrusted certificates of course. 

 

Highlighted
L0 Member

hello, 

 

for a temp fix, I've disabled affected sites using a no-decrypt policy, but we are also experiencing the same issue. 

Highlighted
L2 Linker

uploading them and defining them as trusted root ca(checkbox) also works. 

however it's a bit ugly as that certificate is not placed under default trusted root ca. but just under the regular certificates.

I just checked on a device running latest patch of 8.1(8.1.11) sectigo is also not known as trusted on that device. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!