PAN and intermediate CAs

Showing results for 
Show  only  | Search instead for 
Did you mean: 

PAN and intermediate CAs

L6 Presenter

Last couple of days I've had quite a few cases where I had to manually add intermediate CAs as a Trusted Root CA in order for decryption to work (for customers blocking untrusted CAs already on firewall).


These are quite well known intermediate CAs like: 

DigiCert TLS RSA SHA256 2020 CA1

GeoTrust RSA CA 2018

Entrust Certification Authority - L1K

Entrust Certification Authority - L1M



How come PAN's trusted Root CA list is lacking so many? How is it updated? Via content updates? I have content updates schduled daily.

Anyone else having issues with this? I know there was only some to add in the past. But last couple of days I really had many to add at different customers.

SSL Decryption 




Community Team Member

Hi @santonic ,


I found this regarding int-CAs "the firewall does not trust intermediate CAs by default because intermediate CAs are not a part of the chain of trust between the firewall and the trusted root CA. You must manually add any intermediate CAs that you want the firewall to trust, along with any additional trusted enterprise CAs that your organization requires" from Manage Default Trusted Certificate Authorities.

LIVEcommunity team member
Stay Secure,
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L6 Presenter

Hey @JayGolf  

Thank you for reply and useful info. But it still seems a bit strange; almost every (if not every) website is signed by intermediate CA. After implementing and testing decryption (with certificate checks on PA) everything worked without adding any intermediate CAs. So are some intermediate CAs already included as Trusted CAs? Of course we didn't try every possible website but we didn't notice any issues then on websites we tried.

Then last week there were suddenly lots of cases of having to import Intermediate CAs.


And let's take for example It's signed by intermediate CA "GTS CA 1C3" which i never manually imported and is not among Default Trusted CAs. But i'm pretty sure the customer can access it otherwise they would report it ages ago.


So what is the actual story with trust for Intermediate CAs?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!