https://live.paloaltonetworks.com/t5/general-topics/can-not-check-forward-trust-certificate/m-p/258918#M73431 <P>The enterprise CA that signed the CSR failed to ensure it is a actually a CA cert, sometimes known as a Signing cert or Delegation cert. It's not very obvious in that document, so it can be missed.</P><P>&nbsp;</P><P>When you send the CSR to the enterprise CA, they&nbsp;<STRONG>must</STRONG> make it a signing/delegation/ca certificate or it cannot be used to sign the on-the-fly certificates the firewall generates when doing decryption. Without that, it is just a normal server certificate.</P><P>&nbsp;</P><P>You don't have to go through the whole process again, you can just have the CA re-sign the CSR you gave, ensuring it is a CA cert as well.</P> Fri, 26 Apr 2019 17:29:47 GMT gwesson 2019-04-26T17:29:47Z https://live.paloaltonetworks.com/t5/general-topics/can-not-check-forward-trust-certificate/m-p/258840#M73408 <P>Hello.&nbsp;<BR /><BR />I'm having an issue with a setup of decryption.</P><P>&nbsp;</P><P>we have a custoemr who wants decryption. and they also have an entreprise CA.&nbsp;<BR />to have the least user impact they wanted to use an entreprise signed certificate for their ssl forward trust.&nbsp;<BR /><BR />I created a certificate as explained on palo alto resources</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSxCAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSxCAK</A></P><P><A href="https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/decryption/configure-ssl-forward-proxy" target="_blank">https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/decryption/configure-ssl-forward-proxy</A></P><P>&nbsp;</P><P>so far so good.&nbsp;<BR />I sent the csr to our customer.&nbsp;</P><P>when I got it back( .cer) file I got an issue because it was not base 64 encoded. but could resolve it via this link:</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGSCA0" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGSCA0</A></P><P>&nbsp;</P><P>&nbsp;</P><P>afterwards I managed to get the certificate uploaded.&nbsp;<BR /><BR />however:</P><P>for the certificate the "key" checkbox is checked, but the "ca" checkbox is not. --&gt; despite PA resources telling me it should be checked after the import(see first link step 3.4.d</P><P>when opening the certificate all options( ssl forward trust, untrust, etc are greyed out. the only option I can select is "certificate for secure syslog"</P><P>&nbsp;</P><P>I'm starting to think the issue lies with the entreprise CA. or how teh certificate was signed. but wanted to make sure. perhaps someone on this forum knows more?&nbsp;<BR /><BR /><BR /></P> Fri, 26 Apr 2019 07:22:19 GMT https://live.paloaltonetworks.com/t5/general-topics/can-not-check-forward-trust-certificate/m-p/258840#M73408 TommieVanHove 2019-04-26T07:22:19Z https://live.paloaltonetworks.com/t5/general-topics/can-not-check-forward-trust-certificate/m-p/258918#M73431 <P>The enterprise CA that signed the CSR failed to ensure it is a actually a CA cert, sometimes known as a Signing cert or Delegation cert. It's not very obvious in that document, so it can be missed.</P><P>&nbsp;</P><P>When you send the CSR to the enterprise CA, they&nbsp;<STRONG>must</STRONG> make it a signing/delegation/ca certificate or it cannot be used to sign the on-the-fly certificates the firewall generates when doing decryption. Without that, it is just a normal server certificate.</P><P>&nbsp;</P><P>You don't have to go through the whole process again, you can just have the CA re-sign the CSR you gave, ensuring it is a CA cert as well.</P> Fri, 26 Apr 2019 17:29:47 GMT https://live.paloaltonetworks.com/t5/general-topics/can-not-check-forward-trust-certificate/m-p/258918#M73431 gwesson 2019-04-26T17:29:47Z https://live.paloaltonetworks.com/t5/general-topics/can-not-check-forward-trust-certificate/m-p/572370#M115175 <P>Try using Subordinate Certification Authority Template.<BR />Do not forget to Import the Root CA.</P> Tue, 09 Jan 2024 17:37:56 GMT https://live.paloaltonetworks.com/t5/general-topics/can-not-check-forward-trust-certificate/m-p/572370#M115175 HamzaAlSammarai 2024-01-09T17:37:56Z