>
    Strata Copilot
    Fetch Certificates from Authority Information Access (AIA) URL
    Focus
    Download PDF
    Focus
    1. Home
    2. Network Security
    4. Enable Decryption
    5. Fetch Certificates from Authority Information Access (AIA) URL
    Download PDF
    Network Security

    Fetch Certificates from Authority Information Access (AIA) URL

    Table of Contents

    Fetch Certificates from Authority Information Access (AIA) URL

    Enable the automatic retrieval of missing intermediate certificates using the URL in the Authority Information Access (AIA) extension.
    Where Can I Use This?What Do I Need?
    • NGFW
    Depending on the products you're using, you need at least one of...
    When a server presents an incomplete certificate chain, the Next-Generation Firewall (NGFW) can't establish a chain of trust from the server certificate to a trusted root certificate authority (CA). Typically, this causes the NGFW to drop the connection, preventing inspection of the SSL/TLS traffic (unless you allow sessions with untrusted issuers). Browsers also block these connections and display invalid certificate or insecure connection warnings.
    To address this issue, you could manually repair incomplete certificate chains or bypass decryption for the affected sites. However, manual repair is time-consuming, and bypassing decryption leaves potentially malicious traffic uninspected. For SSL Forward Proxy sessions, you can enable automatic fetching of missing intermediate certificates when server certificates contain the Authority Information Access (AIA) extension. The AIA extension provides the URL from which the NGFW retrieves the issuing CA's certificate to complete the certificate chain. Automatic retrieval prevents service disruption, eliminates the need to bypass decryption, and lightens your operational load.
    How Certificate Fetching Using AIA Works
    The following process occurs if the server certificate the NGFW received during the failed TLS handshake contains the AIA extension:
    1. Check the Intermediate Certificate Cache
      The NGFW checks the cache for the missing intermediate certificates. If found, the NGFW verifies:
      • The Subject Name (SN) of the cached certificates matches the issuer name of the server certificate
      • The cached certificates haven't expired
      • The certificate chain is properly signed
      • The certificate chain leads to a trusted root CA
      If these criteria are met, the TLS handshake proceeds.
    2. Fetch Certificates from the AIA URL
      If the Intermediate Certificate Cache doesn't contain the intermediate certificates, the NGFW downloads the missing intermediate certificates from the AIA URL.
      • The NGFW verifies the newly fetched intermediate certificate as in the previous step. If the certificate isn't signed by a trusted root CA, the NGFW recursively fetches up to two more levels of intermediate certificates (maximum fetches is three).
      • The NGFW verifies the last fetched certificate is signed by a trusted root CA.
    3. Add to Intermediate Certificate Cache
      The NGFW adds fetched intermediate certificates to the cache, so that subsequent TLS sessions with the same server can use them.
    The NGFW stores fetched certificates in the cache for up to one week, depending on certificate expiration dates. If a certificate expires in less than a week, the cache entry expires when the certificate does. For certificates that have already expired, the cache entry lasts for one day.
    The server remains untrusted, and the connection is handled according to your policy rules, in the following cases:
    • The certificate doesn't contain the AIA extension.
    • The connection to the AIA URL times out.
    • The AIA URL returns an invalid response.
    • The certificate fetched from the AIA URL fails to verify the server certificate (signature verification fails).
    To view and manage cached intermediate certificates, go to the Cached Intermediate Certificates tab in your management interface.
    To monitor the status of AIA retrieval, review the Server Certificate Status field in the decryption logs. After successful certificate fetches, the status displays Valid by OCSP/CRL. You can use this information to troubleshoot SSL/TLS connections with incomplete certificate chains and verify if the feature works correctly.
    1. Configure a service route for CRL, OCSP, Intermediate Certificates (formerly CRL Status).
      This feature shares the same service route used for CRL and OSCP revocation status checking.
    2. In your SSL Forward Proxy decryption profiles, enable Automatically Fetch Intermediate Certificates.
    3. Apply the decryption profiles to the decryption policy rules that manage the affected traffic.
    4. Commit your changes.
    5. Verify that automatic retrieval using AIA works.
      1. Access a website for which the server certificate has been incomplete.
        The initial session will fail, which initiates the fetching process.
      2. Start a new session by refreshing the page or accessing the website in a new window.
      3. Confirm that the browser no longer displays a warning and that you can access the site without issues.
      4. Review the decryption logs for the first session and a subsequent session.
        • Server Certificate Status for the first session should note that fetching is in progress.
        • Server Certificate Status for a subsequent session should display Valid by OCSP/CRL.

    © 2025 Palo Alto Networks, Inc. All rights reserved.