Locate and install missing intermediate certificates
to fix incomplete certificate chains using the Decryption log.
Not all websites send their complete certificate
chain even though the
RFC 5246 TLSv1.2 standard requires
authenticated servers to provide a valid certificate chain leading
to an acceptable certificate authority. When you enable decryption
and apply a Forward Proxy Decryption profile that enables
Block
sessions with untrusted issuers in the Decryption policy,
if an intermediate certificate is missing from the certificate list the
website’s server presents to the firewall, the firewall can’t construct
the certificate chain to the top (root) certificate. In these cases,
the firewall presents its Forward Untrust Certificate to the client
because the firewall cannot construct the chain to the root certificate
and trust cannot be established without the missing intermediate
certificate.
If
a website you need to communicate with for business purposes has
one or more missing intermediate certificates and the Decryption
profile blocks sessions with untrusted issuers, then you can find
and download the missing intermediate certificate and install it
on the firewall as a Trusted Root CA so that the firewall trusts the
site’s server. (The alternative is to contact the website owner
and ask them to configure their server so that it sends the intermediate
certificate during the handshake.)
If you allow sessions
with untrusted issuers in the Decryption profile, the firewall establishes
sessions even if the issuer is untrusted; however, it is a best
practice to block sessions with untrusted issuers for better security.