Decryption Administration
  • Decryption Administration
  • Network Security Documentation
  • All Documentation
>
Repair Incomplete Certificate Chains (Strata Cloud Manager)
Focus
Download PDF
Focus
  1. Home
  2. Network Security
  4. Troubleshoot Decryption
  5. Repair Incomplete Certificate Chains
  6. Repair Incomplete Certificate Chains (Strata Cloud Manager)
Download PDF
Network Security

Repair Incomplete Certificate Chains (Strata Cloud Manager)

Table of Contents
  1. Find websites that cause incomplete certificate chain errors.
    1. Filter the Decryption logs for sessions that failed because of an incomplete certificate chain.
      • Select Incidents and Alerts Log Viewer and select Firewall/Decryption.
      • In the filter field, enter the query Error Index = 'Certificate') AND (Error Message LIKE ‘%http%’).
        This query filters the logs for Certificate errors that contain the string “http”, which finds all of the error entries that contain the CA Issuer URL (often called the URI). The CA Issuer URL is the Authority Information Access (AIA) information for the CA Issuer.
    2. Select an entry in the Error Message column that begins “Received fatal alert UnknownCA from client. CA Issuer URL:” followed by the URI.
      The NGFW automatically adds the selected error to the query and shows the full URI path (the full URI path may be truncated in the Error Message column).
  2. Copy and paste the URI into your browser and then press Enter to download the missing intermediate certificate.
  3. Click the certificate to open the dialog.
  4. Open the certificate file.
  5. Select Details, and then click Copy to File....
    Follow the export directions. The certificate copies to the folder you designated as your default download folder.
  6. Import the certificate into the NGFW.
    1. Select ManageConfiguration NGFW and Prisma Access Objects Certificate Management. Under Custom Certificates, select Import.
    2. Browse to the folder where you stored the missing intermediate certificate and select it. Leave the File Format as Base64 Encoded Certificate (PEM).
    3. Name the certificate, specify any other options you want to use, and then click OK.
  7. When the certificate has imported, select the certificate from the Device Certificates list to open the Certificate Information dialog.
  8. Specify the use for the certificate.
    For Certificate Use For, select Trusted Root CA, and then click Save. The imported certificate now appears in the list of certificates.
  9. Confirm that the certificate is regarded as a Trusted Root CA Certificate.
    Under Custom Certificates, select the newly imported certificate. Then, verify that the Usage column displays Trusted Root CA Certificate.
  10. Push Config to commit the configuration.
    You have now repaired the broken certificate chain. The NGFW doesn’t block the traffic because the CA issuer is now trusted.
  11. Repeat this process for all missing intermediate certificates to repair their certificate chains.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.