https://live.paloaltonetworks.com/t5/general-topics/enabling-forward-trust-certificate/m-p/26940#M19677 <HTML><HEAD></HEAD><BODY><P>Hi all, </P><P></P><P>I'm hoping someone can assist. </P><P></P><P>I can't enable the Forward Trust option for a cert that I generate using either a self-signed CA or 3rd party CA.&nbsp; The check is either greyed out or it's an option but doesn't keep the check after I hit OK. Any idea on how to get this working?</P><P></P><P>Thanks!</P></BODY></HTML> Thu, 05 Feb 2015 17:09:18 GMT Dmaurice-nci 2015-02-05T17:09:18Z https://live.paloaltonetworks.com/t5/general-topics/enabling-forward-trust-certificate/m-p/26940#M19677 <HTML><HEAD></HEAD><BODY><P>Hi all, </P><P></P><P>I'm hoping someone can assist. </P><P></P><P>I can't enable the Forward Trust option for a cert that I generate using either a self-signed CA or 3rd party CA.&nbsp; The check is either greyed out or it's an option but doesn't keep the check after I hit OK. Any idea on how to get this working?</P><P></P><P>Thanks!</P></BODY></HTML> Thu, 05 Feb 2015 17:09:18 GMT https://live.paloaltonetworks.com/t5/general-topics/enabling-forward-trust-certificate/m-p/26940#M19677 Dmaurice-nci 2015-02-05T17:09:18Z https://live.paloaltonetworks.com/t5/general-topics/enabling-forward-trust-certificate/m-p/26941#M19678 <HTML><HEAD></HEAD><BODY><P>Please look into this discussion threat, it might help you: <A href="https://live.paloaltonetworks.com/message/45688">Re: Can not check Forward Trust Certificate</A></P><P></P><P>Thanks</P></BODY></HTML> Thu, 05 Feb 2015 17:50:01 GMT https://live.paloaltonetworks.com/t5/general-topics/enabling-forward-trust-certificate/m-p/26941#M19678 HULK 2015-02-05T17:50:01Z https://live.paloaltonetworks.com/t5/general-topics/enabling-forward-trust-certificate/m-p/26942#M19679 <HTML><HEAD></HEAD><BODY><P>For 3rd Party CA, it will allow you to do that. That option would be greyed out.</P><P></P><P>For self sign CA, you will need to follow following steps :</P><P></P><P>Under Device -&gt; Certificate Management -&gt; Certificates click Generate Certificate, give it appropriate Name and common Name then click on Certificate Authority</P><P></P><P><IMG alt="cert1.JPG" class="image-0 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/18177_cert1.JPG" style="height: 395px; width: 620px;" /></P><P></P><P>Click OK.</P><P></P><P>Once the certificate is created, you should see both CA and Key option checked. </P><P></P><P><IMG alt="cert2.JPG" class="image-1 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/18178_cert2.JPG" style="height: 94px; width: 620px;" /></P><P></P><P>Verify that is the case. Then click on certificate, you should have Both Forward Trust and Forward Untrust option to check. Hope this helps. Thank you.</P></BODY></HTML> Thu, 05 Feb 2015 18:15:11 GMT https://live.paloaltonetworks.com/t5/general-topics/enabling-forward-trust-certificate/m-p/26942#M19679 ssharma 2015-02-05T18:15:11Z https://live.paloaltonetworks.com/t5/general-topics/enabling-forward-trust-certificate/m-p/26943#M19680 <HTML><HEAD></HEAD><BODY><P>Thanks hulk. I've tried these suggestions already and no luck. Even when I use a self-signed CA, I don't have the ability to enable Forward Trust Certificate...the box is greyed out. </P></BODY></HTML> Thu, 05 Feb 2015 18:26:59 GMT https://live.paloaltonetworks.com/t5/general-topics/enabling-forward-trust-certificate/m-p/26943#M19680 Dmaurice-nci 2015-02-05T18:26:59Z https://live.paloaltonetworks.com/t5/general-topics/enabling-forward-trust-certificate/m-p/26944#M19681 <HTML><HEAD></HEAD><BODY><P>Thanks ssharma. I've tried these steps and still no luck. I'm on the phone with PAN support now. </P></BODY></HTML> Thu, 05 Feb 2015 18:39:58 GMT https://live.paloaltonetworks.com/t5/general-topics/enabling-forward-trust-certificate/m-p/26944#M19681 Dmaurice-nci 2015-02-05T18:39:58Z https://live.paloaltonetworks.com/t5/general-topics/enabling-forward-trust-certificate/m-p/26945#M19682 <HTML><HEAD></HEAD><BODY><P>Hi guys, </P><P></P><P>I've found out what the problem was. </P><P></P><P>When using multiple virtual systems, if the Location drop-down menu under Device Certificates is set to "Shared", I am able to reproduce the problem where I can check the checkbox for Forward Trust Certificate, click OK, but then the check disappears. When I select a specific virtual system, I can see that the Forward Trust Certificate is checked and I can also remove the check. So the key is to be in an actual virtual context when enabling or disabling the Forward Trust Certificate option, rather than be in the shared context.</P><P></P><P>The WebUI is misleading because under the shared context, the Forward Trust Certificate checkbox displays as an option and can be checked, but since the check disappears after clicking OK, it gives the impression that the feature is not enabled. The logs even show that the option was set successfully in the config logs. The WebUI should be updated to let the user know that the option should only be enabled under the appropriate virtual context. </P><P></P><P>PA support also didn't know about this behaviour and they mentioned that they'll be writing a KB article to document it.</P></BODY></HTML> Thu, 05 Feb 2015 19:25:36 GMT https://live.paloaltonetworks.com/t5/general-topics/enabling-forward-trust-certificate/m-p/26945#M19682 Dmaurice-nci 2015-02-05T19:25:36Z