Decryption certificate

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Decryption certificate

L3 Networker


I have a PA500 (OS 5.0.11)

I already configured it for SSL Decryption with a self signed certificate.

I need to use a Digicert Certificate. I already have a wildcard certificate with Digicert.

Question is: can I use my wildcard certificate for SSL Decryption?


I try to import my certificate but I cannot use it for SSL Decryption




Cyber Elite
Cyber Elite

Hi !

For SSL decryption you'll need a CA certificate as it will be posing as the signing certificate of the websites the users are accessing.

A document that may come in handy

How to Implement SSL Decryption



Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thanks but in case of a Certification Authority like Verisign or Digicert I need to request a new certificate (signed by them) or I need to import a root certificate?


In case of CA like verisign or digicert, you need to import chained certificate signed by the Public CA

This document is very helpful:

How to Install a Chained Certificate Signed by a Public CA

I follow this guide and I create a pkcs12 chained certificate with this command:

openssl pkcs12 -export -in [certificate.pem] -inkey [certificate.key] -CAfile [chain.cer] -caname digicert -out [server-chain.p12] -name digicert -chain

but when I import my certificate (IMPORTANT: it is a web server certificate) it is not recognized as a CA.

I think problem is that my certificate was request for a web server.

If I try to install DigiCert CA root certificate it is recognized as a CA but I cannot use it for decryption.

You cannot use a certificate from a public CA like VeriSign or Digicert. A public CA will never give a subordinate (intermediate) CA certificate to someone outside their trust. With a subordinate certificate, you can create new certs that are trusted to the root, even for existing and common sites.

For SSL decryption, you need to use an internal CA certificate or generate a self-signed certificate on the firewall and use that. In both instances, you will need to distribute the public key of that certificate to all clients you wish to be decrypted.

Hope this helps,


  • 5 replies
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!