topic Decryption with Elliptical Curve DSA PAN -OS 8.0.x in General Topics https://live.paloaltonetworks.com/t5/general-topics/decryption-with-elliptical-curve-dsa-pan-os-8-0-x/m-p/178443#M55527 <P>Hi Team,&nbsp;</P><P>&nbsp;</P><P>New features and improvement in version 8 allows for additional cipher algorithms to be decrypted and the re-encrypted to check for malicious content.</P><P>Can generate a self-signed or a cert off MS Certificate Authority.</P><P>Many customers have the decryption cert with the RSA Algorithm already configured. Need to set up the additional one as below to take advantage of the new feature. So will have two forward trust and two forward untrust.&nbsp;</P><P>&nbsp;</P><P><STRONG>The ECDSA one is then preferred and the PAN device will fail back to the RSA one if required.</STRONG></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="RSA.GIF" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/11466i05EA8DC7F9C2E5B9/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="RSA.GIF" alt="RSA.GIF" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ED.GIF" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/11467i4798D4BC817F71FD/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="ED.GIF" alt="ED.GIF" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>To generate a self signed one, is simple enough, just select the different algorithm as below.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="generate.GIF" style="width: 262px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/11468i448FF9CAC78E51DF/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="generate.GIF" alt="generate.GIF" /></span></P><P>&nbsp;</P><P>Done some tests with same recently and seems to be working ok, if any trouble with same contact your support provider,&nbsp;</P><P>&nbsp;</P><P>Cheers,&nbsp;</P><P>&nbsp;</P><P>Rob&nbsp;</P><P>&nbsp;</P> Mon, 25 Sep 2017 08:49:01 GMT DonohoeRobert 2017-09-25T08:49:01Z Decryption with Elliptical Curve DSA PAN -OS 8.0.x https://live.paloaltonetworks.com/t5/general-topics/decryption-with-elliptical-curve-dsa-pan-os-8-0-x/m-p/178443#M55527 <P>Hi Team,&nbsp;</P><P>&nbsp;</P><P>New features and improvement in version 8 allows for additional cipher algorithms to be decrypted and the re-encrypted to check for malicious content.</P><P>Can generate a self-signed or a cert off MS Certificate Authority.</P><P>Many customers have the decryption cert with the RSA Algorithm already configured. Need to set up the additional one as below to take advantage of the new feature. So will have two forward trust and two forward untrust.&nbsp;</P><P>&nbsp;</P><P><STRONG>The ECDSA one is then preferred and the PAN device will fail back to the RSA one if required.</STRONG></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="RSA.GIF" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/11466i05EA8DC7F9C2E5B9/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="RSA.GIF" alt="RSA.GIF" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ED.GIF" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/11467i4798D4BC817F71FD/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="ED.GIF" alt="ED.GIF" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>To generate a self signed one, is simple enough, just select the different algorithm as below.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="generate.GIF" style="width: 262px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/11468i448FF9CAC78E51DF/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="generate.GIF" alt="generate.GIF" /></span></P><P>&nbsp;</P><P>Done some tests with same recently and seems to be working ok, if any trouble with same contact your support provider,&nbsp;</P><P>&nbsp;</P><P>Cheers,&nbsp;</P><P>&nbsp;</P><P>Rob&nbsp;</P><P>&nbsp;</P> Mon, 25 Sep 2017 08:49:01 GMT https://live.paloaltonetworks.com/t5/general-topics/decryption-with-elliptical-curve-dsa-pan-os-8-0-x/m-p/178443#M55527 DonohoeRobert 2017-09-25T08:49:01Z Re: Decryption with Elliptical Curve DSA PAN -OS 8.0.x https://live.paloaltonetworks.com/t5/general-topics/decryption-with-elliptical-curve-dsa-pan-os-8-0-x/m-p/178482#M55537 <P>FYI: There is no need to generate a new Root Cert with an EC Key. PAN-OS 8 allows you to decrypt connections to websites with ECDSA certs also with an RSA Decryption certificate.</P><P>&nbsp;</P><P>--&gt; For example: <A href="https://ecdsa.scotthelme.co.uk/" target="_blank">https://ecdsa.scotthelme.co.uk/</A></P> Mon, 25 Sep 2017 10:02:27 GMT https://live.paloaltonetworks.com/t5/general-topics/decryption-with-elliptical-curve-dsa-pan-os-8-0-x/m-p/178482#M55537 Remo 2017-09-25T10:02:27Z