https://live.paloaltonetworks.com/t5/general-topics/ssl-offloading-forward-trust-grayed-out/m-p/44203#M32451 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I already have a local Microsoft Root CA in our Network.</P><P>Does this mean that I have to make my device PA as Sub-CA to this Root CA ??</P><P></P><P>If so, are there any documentation on how to make my PA a sub CA to my local Root CA ?</P><P></P><P>Regards</P><P></P><P>RZ</P></BODY></HTML> Sun, 06 Jul 2014 07:47:36 GMT rz185016 2014-07-06T07:47:36Z https://live.paloaltonetworks.com/t5/general-topics/ssl-offloading-forward-trust-grayed-out/m-p/44200#M32448 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I have created a certificate from my local CA and also have imported the CSR from PA to the local CA, created the </P><P>identity certificate, all is well, but it seems I am not able to "Check Box" the "Forward Trust Certificate" on the&nbsp; PA.<IMG alt="Device Certificate.jpg" class="image-0 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/14297_Device Certificate.jpg" style="font-size: 10pt; line-height: 1.5em; height: 101px; width: 620px;" /></P><P><IMG alt="Forward trust certificate.jpg" class="image-1 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/14298_Forward trust certificate.jpg" style="height: auto;" /></P><P></P><P>This it seems is a necessary step while configuring SSL offloading.</P><P>Any clues on what needs to be done ....</P><P></P><P>Please see attached.</P><P></P><P>Regards,</P><P></P><P>Tauseef</P></BODY></HTML> Sun, 06 Jul 2014 04:35:57 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-offloading-forward-trust-grayed-out/m-p/44200#M32448 rz185016 2014-07-06T04:35:57Z https://live.paloaltonetworks.com/t5/general-topics/ssl-offloading-forward-trust-grayed-out/m-p/44201#M32449 <HTML><HEAD></HEAD><BODY><P>Hi RZ,</P><P></P><P>If certificate is selfsigned Root Certificate then option for "Forward Trust Certificate" &amp; "Foreard Untrust Certificate" are Enabled. For selfsigned Root Certificate refer following image.</P><P><IMG alt="Root_Cert.png" class="image-0 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/14299_Root_Cert.png" style="height: auto;" /></P><P>In your case you may not have checked option for Root Certificate. Apart from "self signed Root Cert", Suboardinate Root Certificate is supported for requested option.</P><P></P><P>Fore more information on SSL certificate refer bellow link. Go through Page 14 for certificate request.</P><P><A href="https://live.paloaltonetworks.com/docs/DOC-1937">PAN SSL Certificates</A></P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Sun, 06 Jul 2014 06:13:28 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-offloading-forward-trust-grayed-out/m-p/44201#M32449 hshah 2014-07-06T06:13:28Z https://live.paloaltonetworks.com/t5/general-topics/ssl-offloading-forward-trust-grayed-out/m-p/44202#M32450 <HTML><HEAD></HEAD><BODY><P>If certificate is not "self signed root CA" or "Subordinate Root CA" than it can not generate new certificate.</P><P></P><P>thats why non-Root CA cert doesnt work in decryption.</P></BODY></HTML> Sun, 06 Jul 2014 06:20:20 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-offloading-forward-trust-grayed-out/m-p/44202#M32450 hshah 2014-07-06T06:20:20Z https://live.paloaltonetworks.com/t5/general-topics/ssl-offloading-forward-trust-grayed-out/m-p/44203#M32451 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I already have a local Microsoft Root CA in our Network.</P><P>Does this mean that I have to make my device PA as Sub-CA to this Root CA ??</P><P></P><P>If so, are there any documentation on how to make my PA a sub CA to my local Root CA ?</P><P></P><P>Regards</P><P></P><P>RZ</P></BODY></HTML> Sun, 06 Jul 2014 07:47:36 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-offloading-forward-trust-grayed-out/m-p/44203#M32451 rz185016 2014-07-06T07:47:36Z https://live.paloaltonetworks.com/t5/general-topics/ssl-offloading-forward-trust-grayed-out/m-p/44204#M32452 <HTML><HEAD></HEAD><BODY><P>Also,</P><P>What way can I monitor or have an historical view of "SSL Decrypted" statistics.... ?</P><P>How can I know how many sessions are currently decrypted for which users and so on ?</P><P></P><P>Please advise</P></BODY></HTML> Sun, 06 Jul 2014 08:37:24 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-offloading-forward-trust-grayed-out/m-p/44204#M32452 rz185016 2014-07-06T08:37:24Z https://live.paloaltonetworks.com/t5/general-topics/ssl-offloading-forward-trust-grayed-out/m-p/44205#M32453 <HTML><HEAD></HEAD><BODY><P><SPAN class="j-post-author"><STRONG><A _jive_internal="true" class="jiveTT-hover-user jive-username-link" data-avatarid="-1" data-externalid="" data-presence="null" data-userid="14265" data-username="rz185016" href="https://live.paloaltonetworks.com/people/rz185016">rz185016</A></STRONG></SPAN></P><P></P><P>See the instructions in this document to use your MS CA with SSL decryption.</P><P><A href="https://live.paloaltonetworks.com/docs/DOC-3486">How to Implement Certificates Issued from Microsoft Certificate Services</A></P><P></P><P>You can check the general statistics using:</P><P></P><P><SPAN style="font-family: 'courier new', courier;">&gt;debug sslmgr statistics</SPAN></P></BODY></HTML> Sun, 06 Jul 2014 10:05:08 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-offloading-forward-trust-grayed-out/m-p/44205#M32453 pulukas 2014-07-06T10:05:08Z