SSL Decryption - replacing Forward Trust Certificate not working for IOS devices

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

SSL Decryption - replacing Forward Trust Certificate not working for IOS devices

L4 Transporter

Hi All,

 

The Forward Trust certificate on a PA-820 firewall pair was expiring, so we issued a new SubCA certificate from the Windows ADCS root CA server and updated it on the firewall. The certificate was imported with a 2048bit key and there is a password on the key. Since switching over to the new certificate for forward trust (SSL Decryption), IOS devices are no longer able to browse to the internet when an SSL Decryption policy is applied, where Windows devices are able to without issue. The IOS devices show an error “This connection is not private”.

 

I have verified the certificate trust chain is valid and correct on other devices, and I have verified that the root CA is trusted on the IOS devices. Switching back to the old certificate fixes the issue, however this certificate has now expired.

 

I have also tried re-issuing the SubCA certificate several times with various changes without any success. The Decryption profile supports tls 1.0 -1.2, however I also tried enabling 1.3 and this made no difference. (this has been reverted now).

 

In the decryption log on the firewall I see the following errors “Received fatal alert CertificateUnknown from client. CA Issuer URL…>”

 

I have tried Chrome and Safari.

 

I have tried IOS 14 and 15 (latest).

 

All websites are affected

 

Used the same certificate template as the previous SubCA cert

 

Restarted management server

 

Does anyone have any idea what may be causing this issue and what steps we can take to diagnose and resolve the issue?

6 REPLIES 6

Cyber Elite
Cyber Elite

@Ben-Price,

Do the iOS devices have the new SubCA added as a trusted certificate within their certificate store or the required root/intermediate certificates for this SubCA cert to be trusted? Right off the bat I would really look at the certificates your forcing on iOS through I would assume your MDM solution. 

L4 Transporter

@BPry Yes, the required root CA is trusted on the iOS devices. It is the same Root CA that issued the last SubCA cert. Tried installing the SubCA cert on the iOS device and trusting that but still the same issue.

Did you ever get this resolved. Running into very similar issue with mac/ios.

L1 Bithead

It looks like in PANOS 10.2 you have to create the forward trust CA on the firewall, and not from another CA. Could be the same issue with other OS versions as well.

Recreating the trust CA on the firewall fixed my problem in 10.2

Problem was related (in my case) to the encryption length of the sub CA. For IOS and Linux devices the subCA must have a minimum length of 3072 Bit (CA/Browser Forum should have decided that starting from 1/06/2021 )

L4 Transporter

The fix has been in place for a while but it's worth posting this in case people run into this issue. There was an issue that impacted MAC devices, was fixed in 10.2.3+ and 10.1.8+

With Decryption enabled, macOS Monterey and above are having ce... - Knowledge Base - Palo Alto Netw...

  • 5781 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!