This Nominated Discussion Article is based on the post "Change forward decrypt trust cert to a new one" by @djon and answered by @emr_1. Read on to see the discussion and solution!
I have forward ssl decrypt running and I want to change the cert I use. Can only have one forward trust cert at a time. If I deselect forward trust box I get commit error because my ssl decrypt policies don't have a forward trust cert. I can't select forward trust on the new cert until the old cert has forward trust deselected.
So now what do I do?
You don't need to "deselect and commit".
Just change the certificate and commit will work (at least worked on my lab / pan-os 10.1.6-h6)
Also make sure to have a private key for it.
Following two screenshots show what happens if you did not import private key (you won't be able to select Forward Trust Cert option):
tags: certificates, SSL Forward Proxy, Management, Management & Administration, NGFW, certificate management
