Network Security
Repair Incomplete Certificate Chains
Table of Contents
Expand All
|
Collapse All
Network Security Docs
-
- Security Policy
-
- Security Profile Groups
- Security Profile: AI Security
- Security Profile: WildFire® Analysis
- Security Profile: Antivirus
- Security Profile: Vulnerability Protection
- Security Profile: Anti-Spyware
- Security Profile: DNS Security
- Security Profile: DoS Protection Profile
- Security Profile: File Blocking
- Security Profile: URL Filtering
- Security Profile: Data Filtering
- Security Profile: Zone Protection
-
- Policy Object: Address Groups
- Policy Object: Regions
- Policy Object: Traffic Objects
- Policy Object: Applications
- Policy Object: Application Groups
- Policy Object: Application Filter
- Policy Object: Services
- Policy Object: Auto-Tag Actions
- Policy Object: Devices
-
- Uses for External Dynamic Lists in Policy
- Formatting Guidelines for an External Dynamic List
- Built-in External Dynamic Lists
- Configure Your Environment to Access an External Dynamic List
- Configure your Environment to Access an External Dynamic List from the EDL Hosting Service
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Policy Object: HIP Objects
- Policy Object: Schedules
- Policy Object: Quarantine Device Lists
- Policy Object: Dynamic User Groups
- Policy Object: Custom Objects
- Policy Object: Log Forwarding
- Policy Object: Authentication
- Policy Object: Decryption Profile
- Policy Object: Packet Broker Profile
-
-
-
- The Quantum Computing Threat
- How RFC 8784 Resists Quantum Computing Threats
- How RFC 9242 and RFC 9370 Resist Quantum Computing Threats
- Support for Post-Quantum Features
- Post-Quantum Migration Planning and Preparation
- Best Practices for Resisting Post-Quantum Attacks
- Learn More About Post-Quantum Security
-
-
-
- Investigate Reasons for Decryption Failure
- Identify Weak Protocols and Cipher Suites
- Troubleshoot Version Errors
- Troubleshoot Unsupported Cipher Suites
- Identify Untrusted CA Certificates
- Repair Incomplete Certificate Chains
- Troubleshoot Pinned Certificates
- Troubleshoot Expired Certificates
- Troubleshoot Revoked Certificates
Repair Incomplete Certificate Chains
Locate and install missing intermediate certificates to fix incomplete certificate
chains using the Decryption log.
Where Can I Use This? | What Do I Need? |
---|---|
|
No separate license required for decryption when using NGFWs or
Prisma Access.
Note: The features and capabilities available to you in
Strata Cloud Manager depend on your active license(s).
|
Not all websites send their complete certificate chain even though the RFC
5246 TLSv1.2 standard requires authenticated servers to provide a valid
certificate chain leading to an acceptable certificate authority (CA). When you
enable decryption and apply a Forward Proxy Decryption profile that
blocks sessions with untrusted issuers to a Decryption
policy rule, if an intermediate certificate is missing from the certificate list the
website’s server presents to the NGFW, the NGFW can’t construct the certificate
chain to the top (root) certificate. In these cases, the NGFW presents its Forward
Untrust certificate to the client because trust can't be established without the
missing intermediate certificate.
The NGFW also presents its Forward Untrust certificate if
traffic matches a Decryption profile that allows sessions with untrusted
issuers.
The NGFW only has root certificates in its Default Trusted Certificate
Authorities store.
If a website you need to communicate with for business purposes has one or more missing
intermediate certificates and the Decryption profile blocks sessions with untrusted
issuers, then you can find and download the missing intermediate certificate and
install it on the NGFW as a trusted root CA so that the NGFW trusts the site’s
server. (The alternative is to contact the website owner and ask them to configure
their server so that it sends the intermediate certificate during the
handshake.)
If you allow sessions with untrusted issuers in the Decryption profile, the NGFW can establish
sessions even if the issuer is untrusted. The NGFW presents the Forward Untrust
certificate to the client and displays a warning message in the browser, which
enables users to accept the risk and continue to the site or not. However, it's
a best practice to block sessions with untrusted issuers for better
security.
Repair Incomplete Certificate Chains (Strata Cloud Manager)
- Find websites that cause incomplete certificate chain errors.
- Filter the Decryption logs for sessions that failed because of an incomplete certificate chain.
- Select Incidents and Alerts Log Viewer and select Firewall/Decryption.
- In the filter field, enter the query Error Index = 'Certificate') AND (Error Message LIKE ‘%http%’).This query filters the logs for Certificate errors that contain the string “http”, which finds all of the error entries that contain the CA Issuer URL (often called the URI). The CA Issuer URL is the Authority Information Access (AIA) information for the CA Issuer.
- Select an entry in the Error Message column that begins “Received fatal alert UnknownCA from client. CA Issuer URL:” followed by the URI.The NGFW automatically adds the selected error to the query and shows the full URI path (the full URI path may be truncated in the Error Message column).
- Copy and paste the URI into your browser and then press Enter to download the missing intermediate certificate.
- Click the certificate to open the dialog.
- Open the certificate file.
- Select Details, and then click Copy to File....Follow the export directions. The certificate copies to the folder you designated as your default download folder.
- Import the certificate into the NGFW.
- Select ManageConfiguration NGFW and Prisma Access Objects Certificate Management. Under Custom Certificates, select Import.
- Browse to the folder where you stored the missing intermediate certificate and select it. Leave the File Format as Base64 Encoded Certificate (PEM).
- Name the certificate, specify any other options you want to use, and then click OK.
- When the certificate has imported, select the certificate from the Device Certificates list to open the Certificate Information dialog.
- Specify the use for the certificate.For Certificate Use For, select Trusted Root CA, and then click Save. The imported certificate now appears in the list of certificates.
- Confirm that the certificate is regarded as a Trusted Root CA Certificate.Under Custom Certificates, select the newly imported certificate. Then, verify that the Usage column displays Trusted Root CA Certificate.
- Push Config to commit the configuration.You have now repaired the broken certificate chain. The NGFW doesn’t block the traffic because the CA issuer is now trusted.
- Repeat this process for all missing intermediate certificates to repair their certificate chains.
Repair Incomplete Certificate Chains (PAN-OS)
- Find websites that cause incomplete certificate chain errors.
- Filter the Decryption log to identify Decryption sessions that failed because of an incomplete certificate chain.In the filter field, type the query (err_index eq Certificate) and (error contains ‘http’). This query filters the logs for Certificate errors that contain the string “http”, which finds all of the error entries that contain the CA Issuer URL (often called the URI). The CA Issuer URL is the Authority Information Access (AIA) information for the CA Issuer.
- Click an Error column entry that begins “Received fatal alert UnknownCA from client. CA Issuer URL:” followed by the URI.The NGFW automatically adds the selected error to the query and shows the full URI path (the full URI path may be truncated in the Error column).
- Copy and paste the URI into your browser and then press Enter to download the missing intermediate certificate.
- Click the certificate to open the dialog.
- Click Open to open the certificate file.
- Select the Details tab and then click Copy to File....Follow the export directions. The certificate copies to the folder you designated as your default download folder.
- Import the certificate into the NGFW.
- Navigate to DeviceCertificate ManagementCertificates and then select Import.
- Browse to the folder where you stored the missing intermediate certificate and select it. Leave the File Format as Base64 Encoded Certificate (PEM).
- Name the certificate, specify any other options you want to use, and then click OK.
- When the certificate has imported, select the certificate from the Device Certificates list to open the Certificate Information dialog.
- Select Trusted Root CA to mark the certificate as a trusted root CA, and then click OK.In DeviceCertificate ManagementCertificatesDevice Certificates, the imported certificate now appears in the list of certificates. Check the Usage column to confirm that the status is Trusted Root CA Certificate.
- Commit the configuration.
- You have now repaired the broken certificate chain.The NGFW doesn’t block the traffic because the CA issuer is now trusted. Repeat this process for all missing intermediate certificates to repair their certificate chains.