Sometimes servers present certificates that aren't signed by a trusted root certificate authority (CA) during TLS handshakes. When this happens, Next-Generation Firewalls (NGFWs) can't establish a chain of trust, causing the SSL/TLS connection to fail. PAN-OS® 12.1 solves this problem for SSL Forward Proxy connections by fetching missing intermediate certificates using the URL specified in the Authority Information Access (AIA) extension of the server certificate. This eliminates the need to manually upload intermediate certificates or bypass decryption for these connections.

The Automatic Retrieval of Intermediate Certificates feature examines server certificates during TLS handshakes. If a certificate can't be validated due to an incomplete certificate chain but contains the AIA extension with a CA Issuer URL, the NGFW performs multiple steps. It checks its intermediate certificate cache for an entry corresponding to the URL in the extension. If an entry isn't present, the NGFW attempts to download the certificates from the AIA URL. Then, the NGFW verifies that the certificate's Subject Name (SN) matches the certificate issuer name and the certificate hasn't expired. If these criteria are met, the certificate is cached for future use. The NGFW can recursively fetch up to three levels of intermediate certificates to build a complete chain to a trusted root CA.

Although the first connection attempt fails during the fetch process, subsequent connections succeed because of the cache. The NGFW stores fetched certificates in a cache for up to one week, depending on certificate expiration dates.

Decryption logs provide visibility into certificate fetching results through the Server Certificate Status field.