- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
05-10-2021 02:49 PM - edited 05-10-2021 02:55 PM
We have had SSL decryption configured since we deployed Palo Alto firewalls and it works with little issue on our Windows OS platforms. We have a new project to deploy a few MacOS clients as the application development team requires the ability to test Safari browsing of some web apps. Our internal Root CA has been imported into the keychain and set to "Trust Always" however Safari nor Google Chrome are able to successfully browse websites over SSL. We either receive the "weak cipher" popup screen or the "invalid certificate" showing our subordinate as untrusted (even though it is signed by the internal Root CA shown as trusted). If we disable decryption traffic passes as normal so we know that its related to this function. Another issue is that I am not as Mac savvy as I used to be and desktop support knows equal or less than myself (as we just don't have a lot of Macs).
Websites Tested: Google, Engadget, CNN
Client OS: MacOS BigSur 11.2.3
PAN-OS: 10.0.5
Decryption Profile
Tested without stripping ALPN, Tested with TLS1.2 as Max Version, Tested removing Appending the certificates CN, and all no go. Is there some magic client checkbox I'm missing in the MacOS? I feel like its MacOS specific as it works with Windows 10 on thousands of clients. Any help would be greatly appreciated.
-Matt
05-11-2021 07:20 AM
When you are in your browser, do you see the entire chain when you view the certificate or are you seeing just your subordinate CA listed? If you aren't seeing the root cert in the chain, macOS isn't going to trust your subordinate CA. Sounds like your decryption certificate doesn't include the full cert chain.
05-11-2021 11:28 AM
@BPry this is exactly what I was but in Chrome it shows the Root CA then the Subordinate CA and then the real website cert. The root CA shows "Trusted" when you click on it in the chain. We even imported the Subordinate CA as a test, trusted it, and still no luck. I'm at a loss because in my mind this should just work and does work with Windows 10 machines.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!