https://live.paloaltonetworks.com/t5/general-topics/external-ca-certificate-options-greyed-out/m-p/76451#M42322 <P>Ah that's a shame.</P> <P>&nbsp;</P> <P>I'm sure I can use an External CA for SSL Forward Proxy, I just needed to mark the certifcate as the Trusted Root CA, as well as Forward Trust and Untrust. This wasn't done and should work otherwise..?</P> <P>&nbsp;</P> <P><A href="https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/decryption/configure-ssl-forward-proxy" target="_blank">https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/decryption/configure-ssl-forward-proxy</A></P> <P>&nbsp;</P> <P>Regarding the screenshots, I had tried to edit the subordinate certificates which you can't change as they're generated off of the back of the Trusted Root cert.</P> <P><BR />Thanks&nbsp;<BR />Jack</P> Thu, 14 Apr 2016 21:57:33 GMT Jack_Howells 2016-04-14T21:57:33Z https://live.paloaltonetworks.com/t5/general-topics/external-ca-certificate-options-greyed-out/m-p/76406#M42305 <P>Hi guys,</P> <P>&nbsp;</P> <P>I've followed the documentation on how to generate a CSR (<A href="https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Generate-a-CSR-Certificate-Signing-Request-and-Import-the/ta-p/53593)" target="_blank">https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Generate-a-CSR-Certificate-Signing-Request-and-Import-the/ta-p/53593)</A> but when importing the certificate I'm only able to select one option, as shown below.</P> <P>&nbsp;</P> <P><IMG src="https://ip1.i.lithium.com/0ac89fb7fd15b782445c0b6fa03f274c81b0faff/68747470733a2f2f73797374656d2e6e657473756974652e636f6d2f636f72652f6d656469612f6d656469612e6e6c3f69643d3536333939313126633d37373335393426683d3365353730323138316564613866396334323664267768656e63653d" border="0" /></P> <P><IMG src="https://ip1.i.lithium.com/109f6350090857344dbdb4eca950aba1d1c12a9d/68747470733a2f2f73797374656d2e6e657473756974652e636f6d2f636f72652f6d656469612f6d656469612e6e6c3f69643d3536333939313026633d37373335393426683d6535643438623761383864643563346565326633267768656e63653d" border="0" width="1028" height="144" /></P> <P>&nbsp;</P> <P>Could you please help explain why they're greyed out?</P> <P>&nbsp;</P> <P>Thanks</P> <P>&nbsp;</P> Thu, 14 Apr 2016 10:44:33 GMT https://live.paloaltonetworks.com/t5/general-topics/external-ca-certificate-options-greyed-out/m-p/76406#M42305 Jack_Howells 2016-04-14T10:44:33Z https://live.paloaltonetworks.com/t5/general-topics/external-ca-certificate-options-greyed-out/m-p/76407#M42306 <P>Edit:</P> <P>&nbsp;</P> <P>I'm trying to use this External CA for SSL Forward Proxy.</P> <P>&nbsp;</P> Thu, 14 Apr 2016 10:45:07 GMT https://live.paloaltonetworks.com/t5/general-topics/external-ca-certificate-options-greyed-out/m-p/76407#M42306 Jack_Howells 2016-04-14T10:45:07Z https://live.paloaltonetworks.com/t5/general-topics/external-ca-certificate-options-greyed-out/m-p/76431#M42316 <P>&nbsp;</P> <P>Your images didn't come through for some reason, but in general the reason for this is because the CSR wasn't signed with the CA option (ca=true). If it's not a CA cert, it cannot be used for forward decryption.&nbsp;</P> <P>&nbsp;</P> <P>You will be unable to get a CA cert from a public authority (like Symmatec or GoDaddy). No public CA will give a private party a certificate that can be used to issue new, trusted certificates.&nbsp;</P> <P>&nbsp;</P> <P>You'll need to use an internal CA, or create a self-signed CA cert on the firewall and distribute that to your users.</P> <P>&nbsp;</P> <P>Cheers,</P> <P>Greg</P> Thu, 14 Apr 2016 17:16:19 GMT https://live.paloaltonetworks.com/t5/general-topics/external-ca-certificate-options-greyed-out/m-p/76431#M42316 gwesson 2016-04-14T17:16:19Z https://live.paloaltonetworks.com/t5/general-topics/external-ca-certificate-options-greyed-out/m-p/76451#M42322 <P>Ah that's a shame.</P> <P>&nbsp;</P> <P>I'm sure I can use an External CA for SSL Forward Proxy, I just needed to mark the certifcate as the Trusted Root CA, as well as Forward Trust and Untrust. This wasn't done and should work otherwise..?</P> <P>&nbsp;</P> <P><A href="https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/decryption/configure-ssl-forward-proxy" target="_blank">https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/decryption/configure-ssl-forward-proxy</A></P> <P>&nbsp;</P> <P>Regarding the screenshots, I had tried to edit the subordinate certificates which you can't change as they're generated off of the back of the Trusted Root cert.</P> <P><BR />Thanks&nbsp;<BR />Jack</P> Thu, 14 Apr 2016 21:57:33 GMT https://live.paloaltonetworks.com/t5/general-topics/external-ca-certificate-options-greyed-out/m-p/76451#M42322 Jack_Howells 2016-04-14T21:57:33Z https://live.paloaltonetworks.com/t5/general-topics/external-ca-certificate-options-greyed-out/m-p/76468#M42325 <P>For firewall to be able to sign certificates on the fly for forward proxy to work you need CA or intermediate CA certificate.</P> <P>Public CA's will not allow you to be their intermediate because this would completely brake SSL model (you could decrypt anyones SSL traffic).</P> <P>For that reason you either generate CA and push it out with Group Policy or generate CA certificate and sign it with your domain CA (then root will be domain CA and fw cert will be intemediate).</P> <P>If you take second path then you don't have to push fw cert to anyware as your domain computers already trust domain root CA.</P> Fri, 15 Apr 2016 10:01:08 GMT https://live.paloaltonetworks.com/t5/general-topics/external-ca-certificate-options-greyed-out/m-p/76468#M42325 Raido_Rattameister 2016-04-15T10:01:08Z