This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this post

Brandon_Wertz
L7 Applicator
In response to Brandon_Wertz

‎03-10-2026 05:26 AM

@Brandon_Wertz wrote:
@JayGolf wrote:

Hi @L.Yalezo ,

 

Currently, there is no code-level resolution for automatically updating this list outside of major PAN-OS releases nor is there a "feature request" for this. 

You can manually import it as a trusted root CA to ensure that your firewall trusts the new Sectigo root certs. 

There is a FR for this, (which is NSFR-I-21203)...At least I'm told there was and that my company was added to the FR.  I'll look for it and share it here.

That said this is something that Palo know about for years and something I've been complaining about to palo for the past 5+ years.  It's so bad that a whole repo process was setup to solve this issue Palo has ignored.

 

https://github.com/PaloAltoNetworks/pan-chainguard  

 

There is partial good news.  In 12.1.2 Palo is trying to solve the missing intermediate cert issue as PAN-OS will attempt to dynamically download missing intermediate certificates (No current solve for roots, other than the code upgrade.)

Automatic Retrieval of Intermediate Certificates Using AIA

"We introduced a mechanism to fetch intermediate certificates via the AIA extension.
This mechanism can be toggled on/off by a new Decryption Profile setting: “Automatically Fetch Intermediate Certificates”
As part of decryption, when we encounter a server certificate with an incomplete chain, and the AIA CA Issuers extension is present (RFC5280), we will attempt to download an Intermediate CA certificate from the specified URL.
If successful, we cache the intermediate certificate for up to 1 week and use it to validate future traffic."  *Caveats: The first session will show untrusted until the intermediate certificate(s) have been fetched*

 

Note:

This feature must be enabled on a Decryption Profile (“Automatically Fetch Intermediate Certificates”)
The intermediate certificate cache itself is only present on firewalls (not Panorama or SCM)
Panorama and SCM can only enable/disable the feature

 

https://docs.paloaltonetworks.com/ngfw/release-notes/12-1/features-introduced-in-pan-os/decryption-f...

Just wanted to relay a bit more information I recently was given.  I recently met with a PM over PAN-OS and he shared some things that either are coming or currently exist in the 12.1.2+ code base regarding certificates.

 

There is a solve coming for root certificates.  It was also shared that the existing feature solve for intermediates is also distributed to all other firewalls, in real time, via Panorama (I think SCM as well) when managed by Panorama.

 

So with these 3 things in place or soon to be I think this issue will be solved for anyone running 12.1.2+

(1)
Who rated this post
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks