Decryption Administration
  • Decryption Administration
  • Network Security Documentation
  • All Documentation
>
Identify Untrusted CA Certificates
Focus
Download PDF
Focus
  1. Home
  2. Network Security
  4. Troubleshoot Decryption
  5. Identify Untrusted CA Certificates
Download PDF
Network Security

Identify Untrusted CA Certificates

Table of Contents

Identify Untrusted CA Certificates

Find sites that have untrusted CA certificates so you can make informed decisions about allowed traffic.
Where Can I Use This?What Do I Need?
No separate license required for decryption when using NGFWs or Prisma Access.
Note: The features and capabilities available to you in Strata Cloud Manager depend on your active license(s).
Blocking access to sites with untrusted CA certificates and certificates self-signed by an untrusted root CA is a best practice because sites with untrusted CAs may indicate a man-in-the-middle attack, a replay attack, or other malicious activity.

Identify Untrusted CA Certificates (Strata Cloud Manager)

  1. Block sessions with untrusted issuers in the decryption profile for SSL Forward Proxy.
    When you block sessions with untrusted issuers in the decryption profile, the decryption log records the error.
    1. Select Manage Configuration NGFW and Prisma Access Security Services Decryption.
    2. Under Decryption Profiles, select or Add a new profile, and then select the Block sessions with untrusted issuers option.
  2. Filter decryption logs to identify sessions that failed due to revoked certificates.
    1. Select Incidents and Alerts Log Viewer and select Firewall/Decryption.
    2. Use the query Error Message = ‘Untrusted issuer CA’.
  3. (Optional) Double-check the certificate expiration date at the Qualys SSL Labs site.
    Enter the hostname of the server (Server Name Identification column of the decryption log) in the Hostname field, and then Submit it to view certificate information for the host.

Identify Untrusted CA Certificates (PAN-OS)

  1. Block sessions with untrusted issuers in the Forward Proxy Decryption profile.
    When you block sessions with untrusted issuers in the Decryption profile, the Decryption logs log the error.
    Select ObjectsDecryptionDecryption Profiles. Then, select a profile to modify or create a new profile.
  2. Filter the log to identify sessions that failed due to revoked certificates using the query (error eq ‘Untrusted issuer CA’).
  3. (Optional) Double-check the certificate expiration date at the Qualys SSL Labs site.
    Enter the hostname of the server (Server Name Identification column of the Decryption log) in the Hostname field and Submit it to view certificate information for the host.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.