https://live.paloaltonetworks.com/t5/general-topics/ssl-forward-proxy-decryption-with-ecdsa-cert/m-p/132443#M47080 <P>Just wondering if it's possible to use an Elliptical Curve DSA cert with CA and Trusted Root to be the Forward Trust Certificate for the SSL Forward Proxy decryption feature?&nbsp;</P><P>&nbsp;</P><P>Reading about the Perfect Forward Secrecy feature here:</P><P><A href="https://www.paloaltonetworks.com/documentation/71/pan-os/newfeaturesguide/decryption-features/perfect-forward-secrecy-pfs-support.html" target="_blank">https://www.paloaltonetworks.com/documentation/71/pan-os/newfeaturesguide/decryption-features/perfect-forward-secrecy-pfs-support.html</A></P><P>&nbsp;</P><P>It would seem like ECDSA certs are supported in use with Forward Proxy SSL decryption but, when I generate a cert, the Forward Trust and Forward Untrusted check boxes are greyed out.</P><P>&nbsp;</P><P>I'm on release 7.1.6</P><P>&nbsp;</P><P>Thanks!</P> Mon, 12 Dec 2016 14:35:05 GMT jsalmans 2016-12-12T14:35:05Z https://live.paloaltonetworks.com/t5/general-topics/ssl-forward-proxy-decryption-with-ecdsa-cert/m-p/132443#M47080 <P>Just wondering if it's possible to use an Elliptical Curve DSA cert with CA and Trusted Root to be the Forward Trust Certificate for the SSL Forward Proxy decryption feature?&nbsp;</P><P>&nbsp;</P><P>Reading about the Perfect Forward Secrecy feature here:</P><P><A href="https://www.paloaltonetworks.com/documentation/71/pan-os/newfeaturesguide/decryption-features/perfect-forward-secrecy-pfs-support.html" target="_blank">https://www.paloaltonetworks.com/documentation/71/pan-os/newfeaturesguide/decryption-features/perfect-forward-secrecy-pfs-support.html</A></P><P>&nbsp;</P><P>It would seem like ECDSA certs are supported in use with Forward Proxy SSL decryption but, when I generate a cert, the Forward Trust and Forward Untrusted check boxes are greyed out.</P><P>&nbsp;</P><P>I'm on release 7.1.6</P><P>&nbsp;</P><P>Thanks!</P> Mon, 12 Dec 2016 14:35:05 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-forward-proxy-decryption-with-ecdsa-cert/m-p/132443#M47080 jsalmans 2016-12-12T14:35:05Z https://live.paloaltonetworks.com/t5/general-topics/ssl-forward-proxy-decryption-with-ecdsa-cert/m-p/132740#M47114 <P>Hi,</P><P>&nbsp;</P><P>The certifiacte you have genearted on PA has CA enbaled, I mean did you make it as CA to be used for Decryption. If it is a CA you should see that Forward Trust option is highlighted.</P><P>&nbsp;</P><P>Best Regards,</P><P>&nbsp;</P><P>Fozail</P> Wed, 14 Dec 2016 07:58:00 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-forward-proxy-decryption-with-ecdsa-cert/m-p/132740#M47114 fozail 2016-12-14T07:58:00Z https://live.paloaltonetworks.com/t5/general-topics/ssl-forward-proxy-decryption-with-ecdsa-cert/m-p/218537#M63164 <P>As already mentioned, making sure the CA box is checked is critical.</P><P>&nbsp;</P><P>In verison 8.0, you weren't able to use ECDSA effectively until version 8.0.9 as newer browsers were unhappy about a null trailer in the resigned certificates from the firewall.</P> Wed, 20 Jun 2018 15:09:21 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-forward-proxy-decryption-with-ecdsa-cert/m-p/218537#M63164 JacobAn 2018-06-20T15:09:21Z