https://live.paloaltonetworks.com/t5/general-topics/ssl-forward-proxy-ca-cert/m-p/217188#M62840 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/70284">@SThatipelly</a>,</P><P>Personally I always recommend that you ask whoever manages your CA to give you a sub-CA certificate and use that for the ssl-decryption process. The sub-CA issued certs will be trusted by all of your machines and you aren't using the root certificate.&nbsp;</P> Fri, 08 Jun 2018 14:58:28 GMT BPry 2018-06-08T14:58:28Z https://live.paloaltonetworks.com/t5/general-topics/ssl-forward-proxy-ca-cert/m-p/217173#M62838 <P>My enterprise has a CA root certificate pushed out to all clients. I am now planning to implement ssl decryption and want to import same cert and keys onto firewall for ssl forward proxy. what are the downsides of doing this? is it a good idea to use CA signed cert or the one I mentioned above?</P><P>&nbsp;</P><P>TIA</P> Fri, 08 Jun 2018 13:47:02 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-forward-proxy-ca-cert/m-p/217173#M62838 SThatipelly 2018-06-08T13:47:02Z https://live.paloaltonetworks.com/t5/general-topics/ssl-forward-proxy-ca-cert/m-p/217188#M62840 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/70284">@SThatipelly</a>,</P><P>Personally I always recommend that you ask whoever manages your CA to give you a sub-CA certificate and use that for the ssl-decryption process. The sub-CA issued certs will be trusted by all of your machines and you aren't using the root certificate.&nbsp;</P> Fri, 08 Jun 2018 14:58:28 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-forward-proxy-ca-cert/m-p/217188#M62840 BPry 2018-06-08T14:58:28Z