10-27-2022 04:29 AM
Last couple of days I've had quite a few cases where I had to manually add intermediate CAs as a Trusted Root CA in order for decryption to work (for customers blocking untrusted CAs already on firewall).
These are quite well known intermediate CAs like:
DigiCert TLS RSA SHA256 2020 CA1
GeoTrust RSA CA 2018
Entrust Certification Authority - L1K
Entrust Certification Authority - L1M
GEANT OV RSA CA 4
How come PAN's trusted Root CA list is lacking so many? How is it updated? Via content updates? I have content updates schduled daily.
Anyone else having issues with this? I know there was only some to add in the past. But last couple of days I really had many to add at different customers.
11-02-2022 12:41 AM
Hi @santonic ,
I found this regarding int-CAs "the firewall does not trust intermediate CAs by default because intermediate CAs are not a part of the chain of trust between the firewall and the trusted root CA. You must manually add any intermediate CAs that you want the firewall to trust, along with any additional trusted enterprise CAs that your organization requires" from Manage Default Trusted Certificate Authorities.
11-02-2022 01:43 AM - edited 11-02-2022 02:31 AM
Thank you for reply and useful info. But it still seems a bit strange; almost every (if not every) website is signed by intermediate CA. After implementing and testing decryption (with certificate checks on PA) everything worked without adding any intermediate CAs. So are some intermediate CAs already included as Trusted CAs? Of course we didn't try every possible website but we didn't notice any issues then on websites we tried.
Then last week there were suddenly lots of cases of having to import Intermediate CAs.
And let's take for example google.com. It's signed by intermediate CA "GTS CA 1C3" which i never manually imported and is not among Default Trusted CAs. But i'm pretty sure the customer can access it otherwise they would report it ages ago.
So what is the actual story with trust for Intermediate CAs?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!