Focus

Troubleshoot Pinned Certificates

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)

Troubleshoot Revoked Certificates

Decryption Broker

Troubleshoot Pinned Certificates

Find sites that have pinned certificates so you can decide whether to allow the traffic by excluding it from decryption.

Certificate pinning forces the client application to validate the server’s certificate against a known copy to ensure that certificate really comes from the server. The intent of pinned certificates is to protect against man-in-the-middle (MITM) attacks where a device between the client and the server replaces the server certificate with another certificate.

Although this prevents malicious actors from intercepting and manipulating connections, it also prevents forward proxy decryption because the firewall creates an impersonation certificate instead of the server certificate to present to the client. Instead of one session that connects the client and server directly, forward proxy creates two sessions, one between the client and the firewall and another between the firewall and the server. This establishes trust with the client so that the firewall can decrypt and inspect the traffic.

However, when a certificate is pinned, the firewall cannot decrypt the traffic because the client does not accept the firewall’s impersonation certificate—the client only accepts the certificate that is pinned to the application.

Filter the Decryption log (MonitorLogsDecryption) to find pinned certificates using the query (error contains ‘UnknownCA’).

The application generates a TLS error code (Alert) when it fails to verify the server’s certificate. Different applications may use different error codes to indicate a pinned certificate. The most common error indicators for pinned certificates are UnknownCA and BadCertificate. After running the (error contains ‘UnknownCA’) query, run the query (error contains ‘BadCertificate’) to catch more pinned certificate errors.

You can use Wireshark or other packet analyzers to double-check the error. Look for the client breaking the connection immediately after the TLS handshake to confirm that it is a pinned certificate issue.
Decide what to do about pinned certificates.
If you don’t need access for business purposes, you can let the firewall continue to block access. If you need access, then you can Exclude a Server from Decryption for Technical Reasons by adding it to the SSL Decryption Exclusion List (DeviceCertificate ManagementSSL Decryption Exclusion.
The firewall bypasses decryption for sites on the SSL Decryption Exclusion List. The firewall cannot inspect the traffic, but the traffic is allowed.

Troubleshoot Revoked Certificates

Decryption Broker

Next-Generation Firewall Docs

Troubleshoot Pinned Certificates

Next-Generation Firewall Docs

Troubleshoot Pinned Certificates

Activation & Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner