SSL Decryption Issues - MacOS Big Sur 11.2.3

Showing results for 
Show  only  | Search instead for 
Did you mean: 

SSL Decryption Issues - MacOS Big Sur 11.2.3

L4 Transporter

We have had SSL decryption configured since we deployed Palo Alto firewalls and it works with little issue on our Windows OS platforms. We have a new project to deploy a few MacOS clients as the application development team requires the ability to test Safari browsing of some web apps.  Our internal Root CA has been imported into the keychain and set to "Trust Always" however Safari nor Google Chrome are able to successfully browse websites over SSL.  We either receive the "weak cipher" popup screen or the "invalid certificate" showing our subordinate as untrusted (even though it is signed by the internal Root CA shown as trusted).  If we disable decryption traffic passes as normal so we know that its related to this function.  Another issue is that I am not as Mac savvy as I used to be and desktop support knows equal or less than myself (as we just don't have a lot of Macs).  


Websites Tested: Google, Engadget, CNN

Client OS: MacOS BigSur 11.2.3

PAN-OS: 10.0.5

Decryption Profile

  • SSL Forward Proxy - Append certificate's CN value to SAN extension, Strip ALPN
  • SSL Protocol Settings: Min Version: TLS1.0, Max Version: Max


Tested without stripping ALPN, Tested with TLS1.2 as Max Version, Tested removing Appending the certificates CN, and all no go.  Is there some magic client checkbox I'm missing in the MacOS?  I feel like its MacOS specific as it works with Windows 10 on thousands of clients.  Any help would be greatly appreciated.




Cyber Elite
Cyber Elite


When you are in your browser, do you see the entire chain when you view the certificate or are you seeing just your subordinate CA listed? If you aren't seeing the root cert in the chain, macOS isn't going to trust your subordinate CA. Sounds like your decryption certificate doesn't include the full cert chain. 

@BPry this is exactly what I was but in Chrome it shows the Root CA then the Subordinate CA and then the real website cert.  The root CA shows "Trusted" when you click on it in the chain.  We even imported the Subordinate CA as a test, trusted it, and still no luck.  I'm at a loss because in my mind this should just work and does work with Windows 10 machines.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!