The Forward Trust certificate on a PA-820 firewall pair was expiring, so we issued a new SubCA certificate from the Windows ADCS root CA server and updated it on the firewall. The certificate was imported with a 2048bit key and there is a password on the key. Since switching over to the new certificate for forward trust (SSL Decryption), IOS devices are no longer able to browse to the internet when an SSL Decryption policy is applied, where Windows devices are able to without issue. The IOS devices show an error “This connection is not private”.
I have verified the certificate trust chain is valid and correct on other devices, and I have verified that the root CA is trusted on the IOS devices. Switching back to the old certificate fixes the issue, however this certificate has now expired.
I have also tried re-issuing the SubCA certificate several times with various changes without any success. The Decryption profile supports tls 1.0 -1.2, however I also tried enabling 1.3 and this made no difference. (this has been reverted now).
In the decryption log on the firewall I see the following errors “Received fatal alert CertificateUnknown from client. CA Issuer URL…>”
I have tried Chrome and Safari.
I have tried IOS 14 and 15 (latest).
All websites are affected
Used the same certificate template as the previous SubCA cert
Restarted management server
Does anyone have any idea what may be causing this issue and what steps we can take to diagnose and resolve the issue?
Do the iOS devices have the new SubCA added as a trusted certificate within their certificate store or the required root/intermediate certificates for this SubCA cert to be trusted? Right off the bat I would really look at the certificates your forcing on iOS through I would assume your MDM solution.
The fix has been in place for a while but it's worth posting this in case people run into this issue. There was an issue that impacted MAC devices, was fixed in 10.2.3+ and 10.1.8+
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!