{"id":4890,"date":"2023-09-29T10:19:21","date_gmt":"2023-09-29T17:19:21","guid":{"rendered":"https:\/\/SUMMALAI.COM\/?p=4890"},"modified":"2023-09-29T10:19:23","modified_gmt":"2023-09-29T17:19:23","slug":"how-to-fix-incomplete-certificate-chains-on-palo-alto-firewalls","status":"publish","type":"post","link":"https:\/\/SUMMALAI.COM\/?p=4890","title":{"rendered":"How to Fix “Incomplete Certificate Chains” on Palo Alto Firewalls"},"content":{"rendered":"\n
  1. Find websites that cause incomplete certificate chain errors.
    1. Filter the Decryption log to identify Decryption sessions that failed because of an incomplete certificate chain.In the filter field, type the query\u00a0(err_index eq Certificate) and (error contains \u2018http\u2019). This query filters the logs for Certificate errors that contain the string \u201chttp\u201d, which finds all of the error entries that contain the CA Issuer URL (often called the URI). The CA Issuer URL is the Authority Information Access (AIA) information for the CA Issuer.<\/li>
    2. Click an\u00a0Error<\/strong>\u00a0column entry that begins \u201cReceived fatal alert UnknownCA from client. CA Issuer URL:\u201d followed by the URI.\"\"The firewall automatically adds the selected error to the query and shows the full URI path (the full URI path may be truncated in the\u00a0Error<\/strong>\u00a0column).<\/li><\/ol><\/li>
    3. Copy and paste the URI into your browser and then press Enter to download the missing intermediate certificate.\"\"<\/li>
    4. Click the certificate to open the dialog box.\"\"<\/li>
    5. Click\u00a0Open<\/strong>\u00a0to open the certificate file.\"\"<\/li>
    6. Select the\u00a0Details<\/strong>\u00a0tab and then click\u00a0Copy to File…<\/strong>.\"\"Follow the export directions. The certificate is copied to the folder you designated as you default download folder.<\/li>
    7. Import the certificate into the firewall.
      1. Navigate to\u00a0DeviceCertificate ManagementCertificates<\/strong>\u00a0and then select\u00a0Import<\/strong>.<\/li>
      2. Browse<\/strong>\u00a0to the folder where you stored the missing intermediate certificate and select it. Leave the\u00a0File Format<\/strong>\u00a0as\u00a0Base64 Encoded Certificate (PEM)<\/strong>.\"\"<\/li>
      3. Name the certificate and specify any other options you want to use, then click\u00a0OK<\/strong>.<\/li><\/ol><\/li>
      4. When the certificate has imported, select the certificate from the\u00a0Device Certificates<\/strong>\u00a0list to open the Certificate Information dialog.<\/li>
      5. Select\u00a0Trusted Root CA<\/strong>\u00a0to mark the certificate as a Trusted Root CA on the firewall and then click\u00a0OK<\/strong>.\"\"In\u00a0DeviceCertificate ManagementCertificatesDevice Certificates<\/strong>, the imported certificate now appears in the list of certificates. Check the\u00a0Usage<\/strong>\u00a0column to confirm that the status is\u00a0Trusted Root CA Certificate<\/strong>\u00a0to verify that the firewall considers the certificate to be a trusted root CA.<\/li>
      6. Commit<\/strong>\u00a0the configuration.<\/li>
      7. You have now repaired the broken certificate chain.The firewall doesn\u2019t block the traffic because the CA issuer is not untrusted anymore. Repeat this process for all missing intermediate certificates to repair their certificate chains.<\/li><\/ol>\n\n\n\n

        Ref: Repair Incomplete Certificate Chains (paloaltonetworks.com)<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

        Find websites that cause incomplete certificate chain errors. Filter the Decryption log to identify Decryption sessions that failed because of an incomplete certificate chain.In the filter field, type the query\u00a0(err_index eq Certificate) and (error contains \u2018http\u2019). This query filters the logs for Certificate errors that contain the string \u201chttp\u201d, which finds all of the error Read More<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_bbp_topic_count":0,"_bbp_reply_count":0,"_bbp_total_topic_count":0,"_bbp_total_reply_count":0,"_bbp_voice_count":0,"_bbp_anonymous_reply_count":0,"_bbp_topic_count_hidden":0,"_bbp_reply_count_hidden":0,"_bbp_forum_subforum_count":0,"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[13,9],"tags":[1691,1690],"class_list":["post-4890","post","type-post","status-publish","format-standard","hentry","category-firewalls","category-networks","tag-incomplete-certificate-chains-palo-alto","tag-incomplete-certificate-chains-palo-alto-firewalls"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4890","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4890"}],"version-history":[{"count":1,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4890\/revisions"}],"predecessor-version":[{"id":4891,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4890\/revisions\/4891"}],"wp:attachment":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4890"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4890"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4890"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}