topic Re: Foward Trust Cert and MacBook Pro in General Topics

Foward Trust Cert and MacBook Pro

M.Sullivan271926 — Tue, 21 Apr 2026 14:52:40 GMT

I have a problem with my PAN generated FTC when used by MacBook Pro. My PANOS is 11.2.10-h3 and the test MBP is Sonoma 14.8.4.

The FTC is loaded on the System Key Chain and is set to "Always Trust". The x509 basic constraints CA is TRUE as inspected on the MBP.

Yet when I browse a site with a decryption policy, the resulting cert from the FTC is not trusted.

Of course, the Windows clients work fine.

Is anyone using the FTC on a modern MBP? How did you setup the FTC?

Thanks for any insights you have.

Cheers,

Mike

Re: Foward Trust Cert and MacBook Pro

BPry — Tue, 21 Apr 2026 15:50:27 GMT

@M.Sullivan271926,

What did you use to generate your forward trust certificate, just the firewall itself? What did you use for your cryptography settings when you generated the certificate? macOS doesn't have extremely unique requirements for trusting a CA outside of ensuring that it's set to always trusted within Keychain.

Re: Foward Trust Cert and MacBook Pro

M.Sullivan271926 — Tue, 21 Apr 2026 18:37:25 GMT

Hi @BPry

Thanks for the reply. I used the FW to generate the cert. default crypto settings. I'm getting ready to test another cert. I used openssl to include the CRL Sign key usage along with the normal CA constraints. I saw somewhere that new MacOS versions wanted the CRL attribute in order to work. Anyway, I'll be testing it in a few minutes...

Re: Foward Trust Cert and MacBook Pro

M.Sullivan271926 — Tue, 21 Apr 2026 20:53:12 GMT

I setup a new cert and made sure to set these attributes (in the conf file using openssl):
basicConstraints = critical, CA:true
keyUsage = critical, keyCertSign, CRLSign

I'm happy to say that the Mac clients are now happy. I dont know when this changed, but the modern MacOS seems to want the crl sign attribute assigned.

Cheers,

Mike