SSL Decryption - warnings during commit

Reply
uscit
Not applicable

SSL Decryption - warnings during commit


I had setup GlobalProtect with a third party certificate that I chained together, and it works fine with no errors.

Then, I began testing SSL Decryption yesterday (with an initial goal of decrypting SSL for Facebook so that I could block Facebook games).  Upon configuring the Decryption Policy, when going to commit, I receive these warnings:

Warning: certificate chain not correctly formed in certificate GlobalProtect-ServerWarning: certificate chain not correctly formed in certificate GlobalProtect-ServerWarning: vsys1 decryption: forward decrypt untrust cert is not configured, forward decrypt trust cert will be used instead.

(Module: device)

Configuration committed successfully

My questions are:

Why is it now telling me that my chain isn't configured correctly for the cert I'm using with GlobalProtect?

The cert I'm using for SSL Decryption I have only enabled the option of "Forward Trust Certificate", which I am assuming is why I'm seeing the warning about "Forward decrypt untrust cert is not configured, forward decrypt trust cert will be used instead"...but should I enable "Forward Untrust Certificate" on this cert as well?

uscit
Not applicable

Well, it appeared that I actually did have the chain wrong on my GP SSL cert (a Godaddy one).  I corrected that, and now I don't get an error in the PAN when committing...however if I use openssl or sslToolbox to validate the chain, it's throwing in an extra cert that I did not put in the chain.  Openssl says it is a "self-signed certificate in the certificate chain", and this is from sslToolbox below:

Certificate Chain Information

Server Name
<gp portal> was checked using port number 443
The following issuer is not supported by the certificate installation checker.
Chain Installation

Certificate 1
Organization
The Go Daddy Group, Inc.
OU
Go Daddy Class 2 Certification Authority
Country
US
Valid From
Tue Jun 29 13:06:20 EDT 2004
Valid To
Thu Jun 29 13:06:20 EDT 2034
Serial Number
0
Signature Algorithm
SHA1withRSA
I then looked in the PA-500's "Default Trusted Certificate Authorities" and indeed there is one called "The Go Daddy Group, Inc., Go Daddy Class 2 Certification Author".  I don't remember seeing this in there before, and I had looked for GoDaddy in this default trusted list?
And for the warning about the untrust cert, I saw the other thread that said to ignore this error.  I don't have an untrust cert...if I want to set one up to get rid of the warning, is it any different than the one I use for forward trust?  Can I just use that one for both?
Interface
L3 Networker

Hi,

look here for the same issue - https://live.paloaltonetworks.com/thread/8554

I created "Forward untrust certificate" and commit with no errors. First i use same certificate for both and there was no difference. Good luck :smileywink:

mbutt
L5 Sessionator

I found the following Bug 47565 which is fixed in release 5.0.3.

The release notes state the following

After upgrading to PAN-OS 5.0.x, newly imported certificates that were part of a certificate chain were being stripped of their intermediate certificates, causing the browser to prompt users with a certificate warning.

You might be running into this issue.

mikand
L6 Presenter

The point of the untrust cert is that when PA device fails to setup a proper ssl between itself and the server when using ssl termination there is no way to notify the client about this. So by choosing the untrust towards the client the client will know its bad if the client continue this session.

My advice would be to use two different certs, one for trusted and one for untrusted and place that trusted cert as trusted CA in your browser and the other untrusted cert as untrusted / blacklisted CA in your browser.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!