Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this post

L2 Linker

6 years on and this is still an issue - while the server owner should be responsible for serving the intermediate cert, most modern browsers find missing certs from the AIA extension ( making broken chains transparent to end users.




In 2022, a PAN-OS 10.1 device with TLS decryption will still not trust a broken chain making the user experience resulting in sites that were previously verified and trusted being inaccessible to users without either creating exceptions or installing intermediate certs in PAN-OS. Or forcing the server owner to fix it. Neither of which anyone wants to manage.


PAN-OS needs to provide the option to fetch intermediates in the same manner it does CRLs (from certificate extensions) and use the CRL service route.

Who rated this post