Palo Alto Networks | PAN-199099

The earliest recollection of this bug is traced back to PAN-OS 10.1.8 - May 15, 2024. This bug is fixed in PAN-OS versions 10.2.3, 10.1.8. Fixed an issue where, when decryption was enabled, Safari and Google Chrome browsers on Apple Mac computers rejected the server certificate created by the firewall because the Authority Key Identifier was copied from the original server certificate and did not match the Subject Key Identifier on the forward trust certificate. When decryption is enabled, Safari and Google Chrome browsers on Mac computers running macOS Monterey or later reject the server certificates firewalls present. The browsers cannot validate the chain of trust for the certificates because the Authority Key Identifier (AKID) of the server certificates and the Subject Key Identifier (SKID) of the forward trust certificate do not match. Workaround: Use a forward trust certificate that does not contain AKID or SKID extensions. For more information: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-release-notes/pan-os-10-1-8-known-and-addressed-issues/pan-os-10-1-8-addressed-issues https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-release-notes/pan-os-10-2-2-known-and-addressed-issues/pan-os-10-2-2-known-issues https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-release-notes/pan-os-10-2-3-known-and-addressed-issues/pan-os-10-2-3-addressed-issues