I had setup GlobalProtect with a third party certificate that I chained together, and it works fine with no errors.
Then, I began testing SSL Decryption yesterday (with an initial goal of decrypting SSL for Facebook so that I could block Facebook games). Upon configuring the Decryption Policy, when going to commit, I receive these warnings:
Warning: certificate chain not correctly formed in certificate GlobalProtect-ServerWarning: certificate chain not correctly formed in certificate GlobalProtect-ServerWarning: vsys1 decryption: forward decrypt untrust cert is not configured, forward decrypt trust cert will be used instead.
Configuration committed successfully
My questions are:
Why is it now telling me that my chain isn't configured correctly for the cert I'm using with GlobalProtect?
The cert I'm using for SSL Decryption I have only enabled the option of "Forward Trust Certificate", which I am assuming is why I'm seeing the warning about "Forward decrypt untrust cert is not configured, forward decrypt trust cert will be used instead"...but should I enable "Forward Untrust Certificate" on this cert as well?
Well, it appeared that I actually did have the chain wrong on my GP SSL cert (a Godaddy one). I corrected that, and now I don't get an error in the PAN when committing...however if I use openssl or sslToolbox to validate the chain, it's throwing in an extra cert that I did not put in the chain. Openssl says it is a "self-signed certificate in the certificate chain", and this is from sslToolbox below:
Certificate Chain Information
I found the following Bug 47565 which is fixed in release 5.0.3.
The release notes state the following
After upgrading to PAN-OS 5.0.x, newly imported certificates that were part of a certificate chain were being stripped of their intermediate certificates, causing the browser to prompt users with a certificate warning.
You might be running into this issue.
The point of the untrust cert is that when PA device fails to setup a proper ssl between itself and the server when using ssl termination there is no way to notify the client about this. So by choosing the untrust towards the client the client will know its bad if the client continue this session.
My advice would be to use two different certs, one for trusted and one for untrusted and place that trusted cert as trusted CA in your browser and the other untrusted cert as untrusted / blacklisted CA in your browser.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!