PA-1410 / PAN-OS 11 doesn't include many MS Root CA's

Showing results for 
Show  only  | Search instead for 
Did you mean: 

PA-1410 / PAN-OS 11 doesn't include many MS Root CA's

L2 Linker

We do TLS decryption, and cutover a site to new PA-1410's running 11.0.2.  While testing MS updates on endpoints, we were getting notifications that the client couldn't contact the update server.  Looking in the decryption log, none of the calls to the MS URL's were trusted.  I looked at the default included trusted CA's from our 820's that were are moving from, and sure enough, many of the MS root CA's are not imported into PAN-OS 11.x.  I exported ones missing from our 820's and imported into the 1410's and marked them as trusted to work around this.  Why would PAN not include these?


Here's the default trusted CA's from our 820's running 10.1:



Here's what was default on the 1410's:




L4 Transporter

Hello @brucegarlock 


The PA default trusted certificate authorities store is updated in major releases.

This means, it may (or may not) have different certificates in 10.1.x and in 11.0.x

You can upload the necessary certificates to the device certificate store and mark them as trusted.


Network Security Engineer

Yes, this is what I am doing, but what I don't understand is why those were not included as defaults like they were in the older models.  It seems like a lot of the default CA's included in previous PAN OS versions are not included on 11.x

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!