Troubleshoot Expired Certificates

Find sites that have expired certificates so you can make informed decisions about allowed traffic.
If you follow Decryption best practices and
Block sessions with expired certificates
in the Forward Proxy Decryption profile or in the No Decryption profile, then if a server presents an expired certificate, the firewall blocks the session. However, if site that you need to access for business reasons allows its certificate to expire, connections to that site may be blocked and you may not know why.
You can use the Decryption log to check for expired certificates and to check for certificates that will expire soon so you can be aware of the situation and take appropriate action.
  1. Filter the Decryption log for expired certificates using the query
    (error eq ‘Expired server certificate’)
    .
    error-eq-expired-server-certificate.png
    This query identifies servers that generate
    Expired server certificate
    errors. The firewall blocks access to these servers because of the expired certificate.
  2. (
    Optional
    ) Double-check the certificate expiration date at the Qualys SSL Labs site.
    Enter the hostname of the server (
    Server Name Identification
    column of the Decryption log) in the
    Hostname
    field and
    Submit
    it to view certificate information for the host.
  3. Filter the Decryption log (
    Monitor
    Logs
    Decryption
    ) for certificates that will expire soon using a query that identifies upcoming certificate end dates.
    For example, if today’s date is February 1, 2020 and you want to give yourself two months to evaluate and prepare in case sites don’t update their certificates, query the Decryption log for certificates that expire April 1 2020 or earlier (
    notafter leq ‘2020/4/01’)
    ):
    notafter-leq-2020-4-01.png
    The
    Certificate End Date
    column shows the eact date on which the certificate expires.
  4. Determine the action to take for sites with expired certificates.
    • If you don’t need to access the site for business purposes, the safest action is to continue to block access to the site.
    • If you need to access the site for business purposes, take one of the following actions:
      • Contact the administrator of the site with the expired certificate and notify them that they need to update or renew their certificate.
      • Create a Decryption policy that applies only to the sites with expired certificates that you need for business purposes and a Decryption profile that allows sites with expired certificates. Do not apply the policy to any sites that you don’t need for business purposes. When a site updates its certificate, remove it from the policy.

Recommended For You