This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Foward Trust Cert and MacBook Pro

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Foward Trust Cert and MacBook Pro

Go to solution
M.Sullivan271926
L1 Bithead

‎04-21-2026 07:52 AM

I have a problem with my PAN generated FTC when used by MacBook Pro.  My PANOS is 11.2.10-h3 and the test MBP is Sonoma 14.8.4.

The FTC is loaded on the System Key Chain and is set to "Always Trust".  The x509 basic constraints CA is TRUE as inspected on the MBP.  

Yet when I browse a site with a decryption policy, the resulting cert from the FTC is not trusted.

Of course, the Windows clients work fine.

 

Is anyone using the FTC on a modern MBP?  How did you setup the FTC?

 

Thanks for any insights you have.

 

Cheers,

Mike

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
M.Sullivan271926
L1 Bithead

‎04-21-2026 01:53 PM

I setup a new cert and made sure to set these attributes (in the conf file using openssl):
basicConstraints = critical, CA:true
keyUsage = critical, keyCertSign, CRLSign

 

I'm happy to say that the Mac clients are now happy.  I dont know when this changed, but the modern MacOS seems to want the crl sign attribute assigned.

 

Cheers,

Mike

View solution in original post

0 Likes Likes
3 REPLIES 3

Go to solution
BPry
Cyber Elite

‎04-21-2026 08:50 AM

@M.Sullivan271926,

What did you use to generate your forward trust certificate, just the firewall itself? What did you use for your cryptography settings when you generated the certificate? macOS doesn't have extremely unique requirements for trusting a CA outside of ensuring that it's set to always trusted within Keychain. 

0 Likes Likes

Go to solution
M.Sullivan271926
L1 Bithead

‎04-21-2026 11:37 AM

Hi @BPry 

Thanks for the reply.  I used the FW to generate the cert. default crypto settings.  I'm getting ready to test another cert.  I used openssl to include the CRL Sign key usage along with the normal CA constraints.  I saw somewhere that new MacOS versions wanted the CRL attribute in order to work.  Anyway, I'll be testing it in a few minutes...

0 Likes Likes

Go to solution
M.Sullivan271926
L1 Bithead

‎04-21-2026 01:53 PM

I setup a new cert and made sure to set these attributes (in the conf file using openssl):
basicConstraints = critical, CA:true
keyUsage = critical, keyCertSign, CRLSign

 

I'm happy to say that the Mac clients are now happy.  I dont know when this changed, but the modern MacOS seems to want the crl sign attribute assigned.

 

Cheers,

Mike

0 Likes Likes
  • 1 accepted solution
  • 1178 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks