cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this post

L2 Linker

6 years on and this is still an issue - while the server owner should be responsible for serving the intermediate cert, most modern browsers find missing certs from the AIA extension (https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1) making broken chains transparent to end users.

 

Example: https://support.poly.com 

 

In 2022, a PAN-OS 10.1 device with TLS decryption will still not trust a broken chain making the user experience resulting in sites that were previously verified and trusted being inaccessible to users without either creating exceptions or installing intermediate certs in PAN-OS. Or forcing the server owner to fix it. Neither of which anyone wants to manage.

 

PAN-OS needs to provide the option to fetch intermediates in the same manner it does CRLs (from certificate extensions) and use the CRL service route.

Who rated this post