Understanding Certificate Chains in Palo Alto Networks Firewalls

What is a Certificate Chain?

A certificate chain is a sequence of certificates where each certificate in the chain is signed by the subsequent certificate. This chain typically starts with the end-entity (or leaf) certificate and ends with a root certificate trusted by the firewall. The purpose of the certificate chain is to establish a path of trust from the end-entity certificate back to a trusted root certificate authority (CA).

Built-in Trusted Certificates

Palo Alto Networks firewalls come preloaded with a set of trusted root CA certificates, known as the Default Trusted Certificate Authorities . These certificates are used to validate the authenticity of certificates presented during SSL/TLS handshakes. The list of default trusted CAs can be viewed and managed via the web interface:

• Navigate to Device > Certificate Management > Certificates > Default Trusted Certificate Authorities
• Here, you can enable, disable, or export CA certificates as needed.

It's important to note that intermediate CA certificates are not included by default and must be added manually if required.

Adding a Certificate That Is Not Trusted

If a certificate presented by a server is not trusted by the firewall (i.e., its issuing CA is not in the trusted list), you can manually add it:

1. Obtain the certificate from the server or CA.
2. Navigate to Device > Certificate Management > Certificates .
3. Click Import and upload the certificate.
4. After importing, select the certificate and click Set as Trusted Root CA .

This process establishes trust for certificates issued by this CA.

How Certificate Chains Work

During an SSL/TLS handshake, the server presents its certificate chain to the client (in this case, the firewall). The firewall then attempts to validate this chain by checking each certificate's signature up to a trusted root CA. If any certificate in the chain is missing or invalid, the validation fails.

It's crucial that the server provides a complete certificate chain, including all intermediate certificates. If intermediate certificates are missing, the firewall may not be able to validate the chain, even if the root CA is trusted.

Common Causes of Certificate Validation Failure

• Missing Intermediate Certificates: The server does not provide the full certificate chain, leading to validation failure.
• Untrusted Root CA: The root CA is not in the firewall's trusted list.
• Expired Certificates: One or more certificates in the chain have expired.
• Incorrect Certificate Order: The certificates are not presented in the correct order (leaf to root).
• Certificate Revocation: A certificate in the chain has been revoked and is listed in a CRL or via OCSP.

To troubleshoot certificate validation issues, you can:

• Use the firewall's decryption logs to identify errors related to certificate validation.
• Verify the certificate chain using tools like OpenSSL or online SSL checkers.
• Ensure that all necessary intermediate and root certificates are present and correctly configured on the firewall.

References

• Default Trusted Certificate Authorities (CAs)
• Repair Incomplete Certificate Chains
• Certificate Management