https://live.paloaltonetworks.com/t5/general-topics/after-forward-trust-certificate-is-renewed/m-p/315550#M81272 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/55969">@NetWright</a>,</P><P>I guess if you don't trust what the CLI is telling you can the certificate as specified in your decryption rulebase entires you would need to perform a PCAP and verify that the client is actually getting the correct cert.</P><P>Really though as long as the above command is showing you what you need and the actual decryption entries reference the correct certificate I can't think of a reason why you would need to verify it further; but if for some reason you do, a simple PCAP on the client traffic would work perfectly fine.&nbsp;</P> Tue, 10 Mar 2020 21:04:41 GMT BPry 2020-03-10T21:04:41Z https://live.paloaltonetworks.com/t5/general-topics/after-forward-trust-certificate-is-renewed/m-p/315379#M81256 <P>After Forward Trust certificate is renewed is there a way to validate the renewed certificate is working correctly from either GUI or CLI?<BR />Device &gt; Certificate Management &gt; Certificates &gt; Forward UNTrust Certificate</P> Tue, 10 Mar 2020 01:01:40 GMT https://live.paloaltonetworks.com/t5/general-topics/after-forward-trust-certificate-is-renewed/m-p/315379#M81256 NetWright 2020-03-10T01:01:40Z https://live.paloaltonetworks.com/t5/general-topics/after-forward-trust-certificate-is-renewed/m-p/315391#M81257 <P>You're looking for the following command in the CLI</P><LI-CODE lang="markup">show system setting ssl-decrypt certificate</LI-CODE> Tue, 10 Mar 2020 02:17:46 GMT https://live.paloaltonetworks.com/t5/general-topics/after-forward-trust-certificate-is-renewed/m-p/315391#M81257 BPry 2020-03-10T02:17:46Z https://live.paloaltonetworks.com/t5/general-topics/after-forward-trust-certificate-is-renewed/m-p/315398#M81261 <P>Thanks.&nbsp;<BR />Ok, yeah I see the cert with that command (&nbsp; show system setting ssl-decrypt certificate ).<BR />.&nbsp;&nbsp;<BR />Wondering if there's a way to validate when the cert is being used and that it's being used successfully.<BR />I know the Untrusted cert will be presented only when the PAN doesn't trust the sites CA but how to see this?<BR />I see the behavior from the client side using this site -&nbsp;<A href="https://untrusted-root.badssl.com/" target="_blank">https://untrusted-root.badssl.com/</A><BR />Is there a way to see what cert is being presented for the client from the PAN side?</P><P>&nbsp;</P><P>show system setting ssl-decrypt certificate</P><P>&lt;&lt;snip&gt;&gt;<BR />global untrusted<BR />ssl-decryption x509 certificate<BR />version 2<BR />cert algorithm 4<BR />valid 200310033320Z -- 210310033320Z<BR />cert pki 1<BR />subject: SSL Decrypt Untrusted 2018<BR />issuer: SSL Decrypt Untrusted 2018<BR />serial number(4)<BR />7b 89 e3 36 {..6<BR />rsa key size 2048 bits siglen 256 bytes<BR />basic constraints extension CA 1<BR /><BR /></P> Tue, 10 Mar 2020 03:54:21 GMT https://live.paloaltonetworks.com/t5/general-topics/after-forward-trust-certificate-is-renewed/m-p/315398#M81261 NetWright 2020-03-10T03:54:21Z https://live.paloaltonetworks.com/t5/general-topics/after-forward-trust-certificate-is-renewed/m-p/315550#M81272 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/55969">@NetWright</a>,</P><P>I guess if you don't trust what the CLI is telling you can the certificate as specified in your decryption rulebase entires you would need to perform a PCAP and verify that the client is actually getting the correct cert.</P><P>Really though as long as the above command is showing you what you need and the actual decryption entries reference the correct certificate I can't think of a reason why you would need to verify it further; but if for some reason you do, a simple PCAP on the client traffic would work perfectly fine.&nbsp;</P> Tue, 10 Mar 2020 21:04:41 GMT https://live.paloaltonetworks.com/t5/general-topics/after-forward-trust-certificate-is-renewed/m-p/315550#M81272 BPry 2020-03-10T21:04:41Z