SSL Certificates CA Verisign
Showing results for 
Search instead for 
Did you mean: 

SSL Certificates CA Verisign

L1 Bithead


we have import the CA Certificate from Verisign and want to activate the Antivirus function (policies).

But only the

"Trusted Root CA"

is available in the "Certificate Information"

the option "Forward Trust Certificate" is gray and not available.

But that the function what we need.

We will check upload traffic to the servers  in the trust lan of the paloalto

System: PaloAlto 500 v5.0.6

Anyone knows this problem.

Info: when we make a self signed CA we can choose the option "Trusted Root CA".


L4 Transporter


Please read last reply by Gwesson  from Re: Decryption certificate

and follow this doc

I hope that will explain You enought.



L6 Presenter

Hi Netmaster,

Decryption can be done only by self signed Root CA or Sub-ordinate CA. The reason is this certificate signs, another certificate for the traffic.

Lets say you generate a.crt self signed certificate on the firewall. Now traffic comes for on firewall. Now a.cert will sign a certificate for and forwards it to user.

Only self signed cert and subordinate cert has this capability to sign another certificate.

As long as I know verisign will not provide you subordinate certificate. Let me know if it helps.


Hardik Shah

L1 Bithead


thanks for the two answers, thats help to understand how it works in the firewall.

Now we have make a self signed Root CA and a decrypt like this doc:

but it doesnt work. We want to make Inbound SSL decryption!

The traffic were not decrypted, we don´t see a decrypt flag in the logs of the packets (policies).

And when we make a openssl question from outside to the server we see the ssl cert from the server and not self signed from the firewall.


shared {

    ssl-decrypt {


      trusted-root-CA [ int_test_com int_test];

      forward-trust-certificate int_test_com;

      forward-untrust-certificate int_test_com;


      int_test_com {

        subject-hash fc08871a;

        issuer-hash fc08871a;

        not-valid-before "Aug 27 14:16:26 2014 GMT";

        issuer "/C=DE/ST=Bayern/L=Ismaning/O=test AG/";

        not-valid-after "Aug 27 14:16:26 2015 GMT";


        expiry-epoch 1440684986;

        ca yes;

        subject "/C=DE/ST=Bayern/L=Ismaning/O=test AG/";

        public-key "-----BEGIN CERTIFICATE-----


decryption {

              rules {

                int_test_antivirus {

                  category any;

                  type {

                    ssl-inbound-inspection int_test_com;


                  from untrust;

                  to trust;

                  source any;

                  destination any;

                  source-user any;

                  negate-source no;

                  negate-destination no;

                  action decrypt;

from untrust;

                  to trust;

                  source any;

                  destination int_test_com;

                  source-user any;

                  category any;

                  application [ ssl web-browsing];

                  service [ service-http service-https];

                  hip-profiles any;

                  action allow;

                  log-start yes;

                  log-end yes;

                  negate-source no;

                  negate-destination no;

Hi Netmaster,

In Inbound Decryption, you get original certificate of the server, its different than outbound decryption. So, you always get server cert, its expected behavior.

Configuration looks good, can I get same configuration in GUI format.

1. Provide certificat in GUI

2. Provide Decryption policy in GUI

3. Provide Traffic log in GUI, which says its not decrypted.


Hardik Shah

L1 Bithead


when we import the server certificate, no CA flag is set and we dont can choose "Forward .... Certificate" and "Trusted Root CA" in the informations.

Thats a Certificate from Verisign. And wehn we load any other public root certficates from Verisign and import this ones, its the same....

For what you need it in GUI Format, its the same informations as about cli.

Anyone a Idee?

best regard


The certificate what we used in the upper config was created in the firewall, i think thats the problem why this one not matched, thats for your info guys.

Hello Netmaster,

Actually its pretty simple configuration and work for most of the customer.

Most likely this is issue with the Certificate provided by Verisign. Verisign will not provide root certificate, they will provide sub-ordinate certificate. Make sure that sub-ordinate certificate has private key. If certificate matches this condition, you should be able to select "Trust/untrsuted Forward" Parameters.

For Self Signed Cert Follow bellow mentioned two steps. and it will work.



That should work just fine.


Hardik Shah

L1 Bithead


now we have made a self signed certificate from the firewall, thats not working.

For the test we have change the Server cert in a self signed too.

We don´ see any encrypted packets. (in the traffic log or in the cli like: How to View SSL Decryption Information from the CLI

We have make all the steps for inbound ssl decrypt from: How to Implement SSL Decryption

but it doesnt works.

Any special thinks what we must do in the decryption and security policies?

Or any other points we must do? enabling decryption on a single tab or so?


Bildschirmfoto 2014-09-02 um 18.22.56.png

Policy decry:

Bildschirmfoto 2014-09-02 um 18.23.21.png

Policy sec:

Bildschirmfoto 2014-09-02 um 18.23.31.png

Hi Netmaster,

Does server uses certificate SSL_Test?

Most likely answer is NO, thats why inbound SSL decryption is not working.

You are supposed to upload same certificate to firewall which is used by server. If you dont get option for "Forward Trust/Untrust" than its fine.


Hardik Shah

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!