Decryption certificate

L3 Networker

Decryption certificate


I have a PA500 (OS 5.0.11)

I already configured it for SSL Decryption with a self signed certificate.

I need to use a Digicert Certificate. I already have a wildcard certificate with Digicert.

Question is: can I use my wildcard certificate for SSL Decryption?


I try to import my certificate but I cannot use it for SSL Decryption



L7 Applicator

Re: Decryption certificate

Hi !

For SSL decryption you'll need a CA certificate as it will be posing as the signing certificate of the websites the users are accessing.

A document that may come in handy

How to Implement SSL Decryption



L3 Networker

Re: Decryption certificate

Thanks but in case of a Certification Authority like Verisign or Digicert I need to request a new certificate (signed by them) or I need to import a root certificate?


L2 Linker

Re: Decryption certificate

In case of CA like verisign or digicert, you need to import chained certificate signed by the Public CA

This document is very helpful:

How to Install a Chained Certificate Signed by a Public CA

L3 Networker

Re: Decryption certificate

I follow this guide and I create a pkcs12 chained certificate with this command:

openssl pkcs12 -export -in [certificate.pem] -inkey [certificate.key] -CAfile [chain.cer] -caname digicert -out [server-chain.p12] -name digicert -chain

but when I import my certificate (IMPORTANT: it is a web server certificate) it is not recognized as a CA.

I think problem is that my certificate was request for a web server.

If I try to install DigiCert CA root certificate it is recognized as a CA but I cannot use it for decryption.

L7 Applicator

Re: Decryption certificate

You cannot use a certificate from a public CA like VeriSign or Digicert. A public CA will never give a subordinate (intermediate) CA certificate to someone outside their trust. With a subordinate certificate, you can create new certs that are trusted to the root, even for existing and common sites.

For SSL decryption, you need to use an internal CA certificate or generate a self-signed certificate on the firewall and use that. In both instances, you will need to distribute the public key of that certificate to all clients you wish to be decrypted.

Hope this helps,


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!