Focus

Troubleshoot Expired Certificates

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)

Identify Untrusted CA Certificates

Troubleshoot Revoked Certificates

Troubleshoot Expired Certificates

Find sites that have expired certificates so you can make informed decisions about allowed traffic.

If you follow Decryption best practices and Block sessions with expired certificates in the Forward Proxy Decryption profile or in the No Decryption profile, then if a server presents an expired certificate, the firewall blocks the session. However, if site that you need to access for business reasons allows its certificate to expire, connections to that site may be blocked and you may not know why.

You can use the Decryption log to check for expired certificates and to check for certificates that will expire soon so you can be aware of the situation and take appropriate action.

Filter the Decryption log for expired certificates using the query (error eq ‘Expired server certificate’).

This query identifies servers that generate Expired server certificate errors. The firewall blocks access to these servers because of the expired certificate.
(Optional) Double-check the certificate expiration date at the Qualys SSL Labs site.
Enter the hostname of the server (Server Name Identification column of the Decryption log) in the Hostname field and Submit it to view certificate information for the host.
Filter the Decryption log (MonitorLogsDecryption) for certificates that will expire soon using a query that identifies upcoming certificate end dates.
For example, if today’s date is February 1, 2020 and you want to give yourself two months to evaluate and prepare in case sites don’t update their certificates, query the Decryption log for certificates that expire April 1 2020 or earlier (notafter leq ‘2020/4/01’)):

The Certificate End Date column shows the eact date on which the certificate expires.
Determine the action to take for sites with expired certificates.
- If you don’t need to access the site for business purposes, the safest action is to continue to block access to the site.
- If you need to access the site for business purposes, take one of the following actions:
  - Contact the administrator of the site with the expired certificate and notify them that they need to update or renew their certificate.
  - Create a Decryption policy that applies only to the sites with expired certificates that you need for business purposes and a Decryption profile that allows sites with expired certificates. Do not apply the policy to any sites that you don’t need for business purposes. When a site updates its certificate, remove it from the policy.

Identify Untrusted CA Certificates

Troubleshoot Revoked Certificates

Next-Generation Firewall Docs

Troubleshoot Expired Certificates

Next-Generation Firewall Docs

Troubleshoot Expired Certificates

Activation & Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner