This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

PAN and intermediate CAs

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PAN and intermediate CAs

santonic
L6 Presenter

‎10-27-2022 04:29 AM

Last couple of days I've had quite a few cases where I had to manually add intermediate CAs as a Trusted Root CA in order for decryption to work (for customers blocking untrusted CAs already on firewall).

 

These are quite well known intermediate CAs like: 

DigiCert TLS RSA SHA256 2020 CA1

GeoTrust RSA CA 2018

Entrust Certification Authority - L1K

Entrust Certification Authority - L1M

GEANT OV RSA CA 4

 

How come PAN's trusted Root CA list is lacking so many? How is it updated? Via content updates? I have content updates schduled daily.

Anyone else having issues with this? I know there was only some to add in the past. But last couple of days I really had many to add at different customers.

SSL Decryption 

 

 

SSL Decryption
Thumbnail of SSL Decryption
Palo Alto Networks
SSL Decryption
Network Security
View on Product Page
1 person had this problem.
0 Likes Likes
2 REPLIES 2

JayGolf
Community Team Member

‎11-02-2022 12:41 AM

Hi @santonic ,

 

I found this regarding int-CAs "the firewall does not trust intermediate CAs by default because intermediate CAs are not a part of the chain of trust between the firewall and the trusted root CA. You must manually add any intermediate CAs that you want the firewall to trust, along with any additional trusted enterprise CAs that your organization requires" from Manage Default Trusted Certificate Authorities.

 
LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

santonic
L6 Presenter

‎11-02-2022 01:43 AM - edited ‎11-02-2022 02:31 AM

Hey @JayGolf  

Thank you for reply and useful info. But it still seems a bit strange; almost every (if not every) website is signed by intermediate CA. After implementing and testing decryption (with certificate checks on PA) everything worked without adding any intermediate CAs. So are some intermediate CAs already included as Trusted CAs? Of course we didn't try every possible website but we didn't notice any issues then on websites we tried.

Then last week there were suddenly lots of cases of having to import Intermediate CAs.

 

And let's take for example google.com. It's signed by intermediate CA "GTS CA 1C3" which i never manually imported and is not among Default Trusted CAs. But i'm pretty sure the customer can access it otherwise they would report it ages ago.

 

So what is the actual story with trust for Intermediate CAs?

0 Likes Likes
  • 1602 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks