Recently a decision was made to implement SSL Decryption for outbound inspection. We work within a Microsoft PKI environment and are experiencing issues in signing the CSR generated by the firewall. I create the CSR based on the "how to implement and test ssl decryption" document I found via the Live Community (https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Implement-and-Test-SSL-Decryption... So, the CSR is designated as a CA and set to Signed by External Authority (CSR). Unfortunately, each time I receive the certificate, the Forward Trust Certificate is greyed out. We've tried both - CA box checked and CA box unchecked, the result is the same. We did find that our SubCA's were under constraints and cannot sign, so we used the Root to perform the signing but the result is the same.
Just wondering if anyone has a suggestion or if we need to review and follow the workaround I found here: https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Implement-Certificates-Issued-from-M....
Solved! Go to Solution.
I don't believe you will have to generate a CSR for this. You can either do a self-signed CA on the firewall or import a Subordinate CA (from your own PKI infrastructure). Steps 1-4 are all done within the Microsoft Certificate Server while steps 5-6 are when you import the certificate into the firewall. Try generating a cert from within your environment and import that generated certificate into the firewall.
Generating and Importing a Certificate from Microsoft Certificate Server
Thank you for the repsonse Peter, greatly appreciated. What we ended up doing is what you suggested in your first paragraph, we asked for a certificate to be issued which is a Subordinate CA. Problem solved. When I suggested the article "" it was met with hesitation, so haivng a certificate created which is a Subordinate worked out nicely.
Hi Peter, Just going through your solution . So , If I want to use internal PKI infra , then there is no need to generate CSR on firewall ?
What do I tell my customer like , to directly provide me the CA certificate ? I mean they dont need my CSR ? Because when I am providing CSR and importing certificate , then that forward trust option is greyed out ...
You have many options.
- Generate CA cert on firewall and push it to domain member computers with Group policy
- Import existing CA into firewall and use this
- Use Subordinate CA signed by existing internal CA
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!