Nominated Discussion: How to Change Forward Decrypt Trust Certificate

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.
Community Team Member
No ratings

This Nominated Discussion Article is based on the post "Change forward decrypt trust cert to a new one" by @djon and answered by @emr_1. Read on to see the discussion and solution!


I have forward ssl decrypt running and I want to change the cert I use. Can only have one forward trust cert at a time. If I deselect forward trust box I get commit error because my ssl decrypt policies don't have a forward trust cert. I can't select forward trust on the new cert until the old cert has forward trust deselected.

So now what do I do? 


You don't need to "deselect and commit".


Just change the certificate and commit will work (at least worked on my lab / pan-os 10.1.6-h6)

Image 001.png


Also make sure to have a private key for it.

Following two screenshots show what happens if you did not import private key (you won't be able to select Forward Trust Cert option):


Image 001.png

Image 002.png


tags: certificates, SSL Forward Proxy, Management, Management & Administration, NGFW, certificate management

Rate this article:
Register or Sign-in
Article Dashboard
Version history
Last Updated:
‎02-02-2023 02:20 AM
Updated by: