01-20-2022 05:41 PM
Hi All,
The Forward Trust certificate on a PA-820 firewall pair was expiring, so we issued a new SubCA certificate from the Windows ADCS root CA server and updated it on the firewall. The certificate was imported with a 2048bit key and there is a password on the key. Since switching over to the new certificate for forward trust (SSL Decryption), IOS devices are no longer able to browse to the internet when an SSL Decryption policy is applied, where Windows devices are able to without issue. The IOS devices show an error “This connection is not private”.
I have verified the certificate trust chain is valid and correct on other devices, and I have verified that the root CA is trusted on the IOS devices. Switching back to the old certificate fixes the issue, however this certificate has now expired.
I have also tried re-issuing the SubCA certificate several times with various changes without any success. The Decryption profile supports tls 1.0 -1.2, however I also tried enabling 1.3 and this made no difference. (this has been reverted now).
In the decryption log on the firewall I see the following errors “Received fatal alert CertificateUnknown from client. CA Issuer URL…>”
I have tried Chrome and Safari.
I have tried IOS 14 and 15 (latest).
All websites are affected
Used the same certificate template as the previous SubCA cert
Restarted management server
Does anyone have any idea what may be causing this issue and what steps we can take to diagnose and resolve the issue?
01-20-2022 07:44 PM
Do the iOS devices have the new SubCA added as a trusted certificate within their certificate store or the required root/intermediate certificates for this SubCA cert to be trusted? Right off the bat I would really look at the certificates your forcing on iOS through I would assume your MDM solution.
01-20-2022 07:56 PM
@BPry Yes, the required root CA is trusted on the iOS devices. It is the same Root CA that issued the last SubCA cert. Tried installing the SubCA cert on the iOS device and trusting that but still the same issue.
09-06-2022 08:33 AM
Did you ever get this resolved. Running into very similar issue with mac/ios.
09-14-2022 12:53 AM
It looks like in PANOS 10.2 you have to create the forward trust CA on the firewall, and not from another CA. Could be the same issue with other OS versions as well.
Recreating the trust CA on the firewall fixed my problem in 10.2
07-07-2023 06:15 AM
Problem was related (in my case) to the encryption length of the sub CA. For IOS and Linux devices the subCA must have a minimum length of 3072 Bit (CA/Browser Forum should have decided that starting from 1/06/2021 )
07-11-2023 08:52 AM
The fix has been in place for a while but it's worth posting this in case people run into this issue. There was an issue that impacted MAC devices, was fixed in 10.2.3+ and 10.1.8+
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
