Enabling forward trust certificate

L0 Member

Enabling forward trust certificate

Hi all,

I'm hoping someone can assist.

I can't enable the Forward Trust option for a cert that I generate using either a self-signed CA or 3rd party CA.  The check is either greyed out or it's an option but doesn't keep the check after I hit OK. Any idea on how to get this working?


L7 Applicator

Please look into this discussion threat, it might help you: Re: Can not check Forward Trust Certificate


L5 Sessionator

For 3rd Party CA, it will allow you to do that. That option would be greyed out.

For self sign CA, you will need to follow following steps :

Under Device -> Certificate Management -> Certificates click Generate Certificate, give it appropriate Name and common Name then click on Certificate Authority


Click OK.

Once the certificate is created, you should see both CA and Key option checked.


Verify that is the case. Then click on certificate, you should have Both Forward Trust and Forward Untrust option to check. Hope this helps. Thank you.

L0 Member

Thanks hulk. I've tried these suggestions already and no luck. Even when I use a self-signed CA, I don't have the ability to enable Forward Trust Certificate...the box is greyed out.

L0 Member

Thanks ssharma. I've tried these steps and still no luck. I'm on the phone with PAN support now.

L0 Member

Hi guys,

I've found out what the problem was.

When using multiple virtual systems, if the Location drop-down menu under Device Certificates is set to "Shared", I am able to reproduce the problem where I can check the checkbox for Forward Trust Certificate, click OK, but then the check disappears. When I select a specific virtual system, I can see that the Forward Trust Certificate is checked and I can also remove the check. So the key is to be in an actual virtual context when enabling or disabling the Forward Trust Certificate option, rather than be in the shared context.

The WebUI is misleading because under the shared context, the Forward Trust Certificate checkbox displays as an option and can be checked, but since the check disappears after clicking OK, it gives the impression that the feature is not enabled. The logs even show that the option was set successfully in the config logs. The WebUI should be updated to let the user know that the option should only be enabled under the appropriate virtual context.

PA support also didn't know about this behaviour and they mentioned that they'll be writing a KB article to document it.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!