SSL Certificates CA Verisign

Showing results for 
Show  only  | Search instead for 
Did you mean: 

SSL Certificates CA Verisign

L1 Bithead


we have import the CA Certificate from Verisign and want to activate the Antivirus function (policies).

But only the

"Trusted Root CA"

is available in the "Certificate Information"

the option "Forward Trust Certificate" is gray and not available.

But that the function what we need.

We will check upload traffic to the servers  in the trust lan of the paloalto

System: PaloAlto 500 v5.0.6

Anyone knows this problem.

Info: when we make a self signed CA we can choose the option "Trusted Root CA".


L4 Transporter


Please read last reply by Gwesson  from Re: Decryption certificate

and follow this doc

I hope that will explain You enought.



L6 Presenter

Hi Netmaster,

Decryption can be done only by self signed Root CA or Sub-ordinate CA. The reason is this certificate signs, another certificate for the traffic.

Lets say you generate a.crt self signed certificate on the firewall. Now traffic comes for on firewall. Now a.cert will sign a certificate for and forwards it to user.

Only self signed cert and subordinate cert has this capability to sign another certificate.

As long as I know verisign will not provide you subordinate certificate. Let me know if it helps.


Hardik Shah

L1 Bithead


thanks for the two answers, thats help to understand how it works in the firewall.

Now we have make a self signed Root CA and a decrypt like this doc:

but it doesnt work. We want to make Inbound SSL decryption!

The traffic were not decrypted, we don´t see a decrypt flag in the logs of the packets (policies).

And when we make a openssl question from outside to the server we see the ssl cert from the server and not self signed from the firewall.


shared {

    ssl-decrypt {


      trusted-root-CA [ int_test_com int_test];

      forward-trust-certificate int_test_com;

      forward-untrust-certificate int_test_com;


      int_test_com {

        subject-hash fc08871a;

        issuer-hash fc08871a;

        not-valid-before "Aug 27 14:16:26 2014 GMT";

        issuer "/C=DE/ST=Bayern/L=Ismaning/O=test AG/";

        not-valid-after "Aug 27 14:16:26 2015 GMT";


        expiry-epoch 1440684986;

        ca yes;

        subject "/C=DE/ST=Bayern/L=Ismaning/O=test AG/";

        public-key "-----BEGIN CERTIFICATE-----


decryption {

              rules {

                int_test_antivirus {

                  category any;

                  type {

                    ssl-inbound-inspection int_test_com;


                  from untrust;

                  to trust;

                  source any;

                  destination any;

                  source-user any;

                  negate-source no;

                  negate-destination no;

                  action decrypt;

from untrust;

                  to trust;

                  source any;

                  destination int_test_com;

                  source-user any;

                  category any;

                  application [ ssl web-browsing];

                  service [ service-http service-https];

                  hip-profiles any;

                  action allow;

                  log-start yes;

                  log-end yes;

                  negate-source no;

                  negate-destination no;

Hi Netmaster,

In Inbound Decryption, you get original certificate of the server, its different than outbound decryption. So, you always get server cert, its expected behavior.

Configuration looks good, can I get same configuration in GUI format.

1. Provide certificat in GUI

2. Provide Decryption policy in GUI

3. Provide Traffic log in GUI, which says its not decrypted.


Hardik Shah

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!