For details on cookie usage on our site, read our Privacy Policy
Sectigo CA Chain Decryption Issues
- LIVEcommunity
- Discussions
- General Topics
- Sectigo CA Chain Decryption Issues
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Sectigo CA Chain Decryption Issues
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-01-2020 03:40 AM
Due to the recent expiration of the Sectigo RSA CA cert (https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-202...) and our Palo firewall SSL decryption policy configuration to block expired certificates we are noticing that any website that is publishing the old expired CA chain (for example netaoc.org.uk) is being blocked due to them publishing an expired cert.
This is obviously working as expected however it's difficult for me to come into contact with each website hosting one of these invalid CA chains to get them to resolve the issue while our users experience issues and I manually exclude the sites from decryption. I of course could turn off expired certificate blocking however this something I would rather not do.
I have noticed that web browsers like Chrome when not running through decryption are handling this issue just fine as they seem to look up the new correct CA certificate themselves and use that. Is there a way I can configure out Palo to act in the same way or am I stuck being reliant on the web admins of the individual sites to correct their chain issues?
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-01-2020 04:23 AM - edited 06-01-2020 04:46 AM
Yes we are seeing this issue
Some customers are reporting it too when accessing one of our websites, but that's an external problem
I can't replicate it accessing our site externally.
I don't think it's necessarily a web hoster problem, our chain looks valid, and the certificate was only generated with it's chain in December.
I have logged a support case, I suggest you do the same.
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-01-2020 05:08 AM
The only reason I think it's a chain issue from the sites host is if you check the website with a tool like https://whatsmychaincert.com/ it will report that the site is delivering an invalid chain but it implies that modern web browsers will transparently fix this issue for the end user.
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-01-2020 06:29 AM
The fact that https://support.sectigo.com fails as well leads me to believe that the test site is not able to correctly process the request.
- Slow File Downloads over a new PA3220 in General Topics
- SSL routines::unsafe legacy renegotiation disabled in General Topics
- Possible to have a web page presented for webistes where SSL decryption Doesnt work? in General Topics
- PAN and intermediate CAs in General Topics
- [RFC5746] issue with ssl decryption: openssl3.0 unsafe legacy renegotiation disabled in GlobalProtect Discussions
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
