05-28-2026 05:21 PM
Running into a weird problem with SSL decryption and a vendor's internet certificate that has broken after going through the PaloAlto. An external vendor updated their internet-facing certificate this afternoon and internal users immediately started receiving certificate expired errors. Externally the certificate appears fine, but internally the certificate now has a negative lifespan (expired before the cert was issued). Has anyone seen this before?
The cert was issued by Let's Encrypt. Checking externally the cert, it looks good. As far as I can tell the new cert is not revoked. When externally checking the cert I get a lifetime of:
260528202420Z -- 260826202419Z
However, in the PA ssl-decrypt certificate-cache, and presented to the internal client, it now has a lifetime of:
260528202451Z -- 250915160000Z
...meaning it expired Aug 15 2025, 8 months before it was issued. The certificate-cache CRL status also shows expired, but I am unable to replicate this externally.
I have cleared the decrypt cache and retried with the same effect. It seems like this is a PA bug that is breaking certificates? I have recently upgraded to 10.2.16-h8 to fix the various recent CVEs, but not seeing anything in the known issues notes that seems to relate to this.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
