Troubleshoot Unknown or Bad Certificates or Certificate Authorities

You can view connection events to determine whether or not the devices are experiencing unknown certificate authorities, bad certificates, or unknown certificates. This procedure can also be used if a TLS/SSL certificate has been pinned. You must add at least the SSL Flow Flags and SSL Flow Messages columns to the table view of connection events.

Before you begin

Procedure

Step 1

Click Analysis > Connections > Events.

Step 2

Click Table View of Connection Events.

Step 3

Click x on any column in the connection events table to add additional columns for at least SSL Flow Flags and SSL Flow Messages.

The following example shows adding the SSL Actual Action, SSL Flow Error, SSL Flow Flags, SSL Flow Messages, SSL Policy, and SSL Rule columns to the table of connection events.

The columns are added in the order discussed in the section on connection and security intelligence event fields in the Secure Firewall Management Center and Threat Defense Management Network Administration guide.

Step 4

Click Apply.

Step 5

The following table discusses how you can determine if a certificate or certificate authority is bad or missing.

SSL flow flag

Meaning

CLIENT_ALERT_SEEN_UNKNOWN_CA

Indicates a valid certificate chain or partial chain was received by an SSL client application, but the certificate was not accepted because the CA certificate could not be located or could not be matched with a known, trusted CA. This message always indicates an unrecoverable error.

CLIENT_ALERT_SEEN_BAD_CERTIFICATE

A certificate was corrupt, contained signatures that did not verify correctly, or had other problems.

CLIENT_ALERT_SEEN_CERTIFICATE_UNKNOWN

Some other (unspecified) issue arose in processing the certificate, rendering it unacceptable.