topic Re: Change forward decrypt trust cert to a new one. in General Topics

Change forward decrypt trust cert to a new one.

djon — Tue, 24 Jan 2023 00:18:14 GMT

I have forward ssl decrypt running and I want to change the cert I use. Can only have one forward trust cert at a time. If I deselect forward trust box I get commit error because my ssl decrypt policies don't have a forward trust cert. I can't select forward trust on the new cert until the old cert has forward trust deselected.

So now what do I do? Thanks.

Re: Change forward decrypt trust cert to a new one.

emr_1 — Tue, 24 Jan 2023 00:42:19 GMT

You don't need to "deselect and commit".

Just change cert and commit will work (at least worked on my lab / pan-os 10.1.6-h6)

Re: Change forward decrypt trust cert to a new one.

djon — Tue, 24 Jan 2023 22:12:27 GMT

Thanks for response. I am not able to select Forward Trust Cert option.

The new cert is the Issuing CA Trusted Root chained from the Root CA if this makes ant sense.

Re: Change forward decrypt trust cert to a new one.

emr_1 — Wed, 25 Jan 2023 00:38:31 GMT

Do you have private key for it?

Following two screenshots are sample that shows what happens if you did not import private key ( looks same as your result):

Re: Change forward decrypt trust cert to a new one.

djon — Wed, 25 Jan 2023 02:08:27 GMT

No priv. key. We are making a new cert from our CA and including keys so we can d/l the cert and key. We just have to figure the flavor of cert (usage etc). We made the current one so we should be able to make a new one. Thanks for the tip on needing the priv key to qual for Forward trust.