Troubleshooting Tip: Certificate error when attempting to access certain website with application control update category set to block

Certificates signed by an intermediate CA would require the certificate chain to establish a chain of trust. The Authority Information Access (AIA) extension in an X.509 Certificate contains information that the browsers can use to fetch the missing certificate (intermediate SSL certificate).

The browser would connect to the URL in the above-mentioned extension field, which usually will point to the Certificate Authority (CA) where the intermediate certificate file is hosted. 

When the Application Control security profile is configured to block updates for certain applications using the Update Category, since it also includes the signature for 'Root.Certificate.URL', the connection to the URL in the AIA extension field would also be blocked, causing the error to appear, since the certificate chain of the website is not available. 

To fix this, navigate to the Application Control security profile section, select Edit the profile applied to the IPv4 policy to allow traffic. Create New under Application and Filter Overrides. Search for signature 'Root.Certificate.URL' selection and set action to Allow. 

The same settings can be applied using the CLI:

config application list     edit "LAN"         set other-application-log enable         set enforce-default-app-port enable         config entries             edit 1                 set category 17                 set action block             next             edit 2                 set category 6                 set action pass                 set log disable             next         end     next end

Once done, it is necessary to clear the browser cache or access the website from a new incognito window for the changes to take effect.