Showing results for 
Search instead for 
Did you mean: 

Who Me Too'd this topic

new CA Sectigo(formerly Comodo) not trusted

L2 Linker


We are having a minor issues on one of our customer firewalls performing decryption. 

it seems certain sites. that have a certificate issued by sectigo. 

root: Sectigo

intermediate: Sectigo RSA Domain Validation Secure Server CA

site certificate.


I believe the root cause of this is the fact that this CA used to be called Comodo( for which there are default trusted certificates in the palo) has been renamed to Sectigo. and I believe new certificates are issued under the new name. 

This got me wondering: how does palo alto determine the Trusted CA list, how often is it updated and how is this new list pushed to the palo alto( as there is no way to force an update I assume it is only updated when upgrading ot a later hotfix or version?)

I'm testing if this is indeed the root cause however I suspect it is. 

users having the issue with the site receive a page stating: 

issuer: Sectigo RSA Domain Validation Secure Server CA

status: untrusted

reason: <blanc>


and as a best practice we have the option to block untrusted certificates of course. 


Who Me Too'd this topic