Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

SSL Decryption: Forward Trust unavailable

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

SSL Decryption: Forward Trust unavailable

L1 Bithead

Hello,

 

After creating a external CA cert, the Forward Trust Certificate, Forward Untrust Certificate and Trusted Root CA are greyed out.  So I can't select.

 

All options are available when a create a self-sign certificate.  

Any idea?

Thanks

2 accepted solutions

Accepted Solutions


@KTarver wrote:

Hi Brandon and thanks for your reply.

 

I am having trouble following you.

 

Purely from a PKI stand point, if the FW has the client's CA in the trusted folder, then there shouldn't be a need for a wildcard.  That is on the decryption side (LAN ingress traffic).

 

But my issue is before getting to that point.

 

From the FW, I created a csr --> processed it with the CA and got a cert --> uploaded the new cert to the fw.  When I do this, 2 issue occur:

1- The csr remain "pending"

2- The newly uploaded cert have all the options (Forward Trust Certificate, Forward Untrust Certificate and Trusted Root CA) greyed out.

 

I am trying to understand why the 2 above is happening.

 

Thanks again Brandon


When doing SSL Interception the decryption certificate needs to be a wildcard certificate that can impersonate any domain from any TLD.  If it's not a wildcard certificate then it won't work.  Like @BPry mentioned I'm going to assume you meant your "external CA" was external from the FW, not external from your enterprise.

 

Your internal PKI has a "Root" and some "Intermediate" certificate authority servers.  Those CAs need to be loaded to your FW.  Those CAs need to be loaded in your client machine cert stores.  You need to generate a CSR from the firewall from one of those Intermediate CAs, which will then be signed by your internal PKI as a wildcard certificate.  When they sign the cert and give it back to you, when you upload it you should see it chained and shown in this screenshot:

Root --> ICA (Intermediate CA) --> SSL Cert:

Brandon_Wertz_0-1726668972596.png

 

Brandon_Wertz_1-1726669173782.png

 

 

The specific steps to get this to work can be found here:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEZCA0&lang=en_US

View solution in original post

Hi Brandon,

 

Thanks for the information!  That was very useful.  I did what you said and created the wilcard in the CN of the CSR.  That allow me to successfully import the cert created by the CA and the options are now available to select!

 

Thanks Brandon!

View solution in original post

7 REPLIES 7

Cyber Elite
Cyber Elite

@KTarver,

Sounds like you don't have the private key. When you say you created an external CA cert, do you mean you generated a self-signed CA on the firewall itself or you created the request to have the certificate created by an external CA (like an enterprise CA)?

L6 Presenter

@KTarver wrote:

Hello,

 

After creating a external CA cert, the Forward Trust Certificate, Forward Untrust Certificate and Trusted Root CA are greyed out.  So I can't select.

 

All options are available when a create a self-sign certificate.  

Any idea?

Thanks


If you're trying to do SSL Decryption for your internal systems you shouldn't be using an external certificate authority.  You're ultimately going to need a wildcard certificate for everything on the Internet and no external CA is going to give you that.

You're going to either need to have an internal CA that is trusted by all your internal clients or you can create it from the firewall, but again you'd need to have the full firewall CA certs to include the wildcard cert as trusted for your internal clients.  Otherwise the client browsers will throw errors about the interception process.

Hi Brandon and thanks for your reply.

 

I am having trouble following you.

 

Purely from a PKI stand point, if the FW has the client's CA in the trusted folder, then there shouldn't be a need for a wildcard.  That is on the decryption side (LAN ingress traffic).

 

But my issue is before getting to that point.

 

From the FW, I created a csr --> processed it with the CA and got a cert --> uploaded the new cert to the fw.  When I do this, 2 issue occur:

1- The csr remain "pending"

2- The newly uploaded cert have all the options (Forward Trust Certificate, Forward Untrust Certificate and Trusted Root CA) greyed out.

 

I am trying to understand why the 2 above is happening.

 

Thanks again Brandon

Hi BPry and thanks for your reply.

 

The later.  

I created a csr via the fw --> processed it through the CA --> uploaded the new cert to the fw.  

Part of the process when creating a csr, is the creation of the private and public key local to the device.  This way the private key stay safe.  So a private key exist.

 

Thanks again BPry!


@KTarver wrote:

Hi Brandon and thanks for your reply.

 

I am having trouble following you.

 

Purely from a PKI stand point, if the FW has the client's CA in the trusted folder, then there shouldn't be a need for a wildcard.  That is on the decryption side (LAN ingress traffic).

 

But my issue is before getting to that point.

 

From the FW, I created a csr --> processed it with the CA and got a cert --> uploaded the new cert to the fw.  When I do this, 2 issue occur:

1- The csr remain "pending"

2- The newly uploaded cert have all the options (Forward Trust Certificate, Forward Untrust Certificate and Trusted Root CA) greyed out.

 

I am trying to understand why the 2 above is happening.

 

Thanks again Brandon


When doing SSL Interception the decryption certificate needs to be a wildcard certificate that can impersonate any domain from any TLD.  If it's not a wildcard certificate then it won't work.  Like @BPry mentioned I'm going to assume you meant your "external CA" was external from the FW, not external from your enterprise.

 

Your internal PKI has a "Root" and some "Intermediate" certificate authority servers.  Those CAs need to be loaded to your FW.  Those CAs need to be loaded in your client machine cert stores.  You need to generate a CSR from the firewall from one of those Intermediate CAs, which will then be signed by your internal PKI as a wildcard certificate.  When they sign the cert and give it back to you, when you upload it you should see it chained and shown in this screenshot:

Root --> ICA (Intermediate CA) --> SSL Cert:

Brandon_Wertz_0-1726668972596.png

 

Brandon_Wertz_1-1726669173782.png

 

 

The specific steps to get this to work can be found here:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEZCA0&lang=en_US

Hi Brandon,

 

Thanks for the information!  That was very useful.  I did what you said and created the wilcard in the CN of the CSR.  That allow me to successfully import the cert created by the CA and the options are now available to select!

 

Thanks Brandon!

Awesome, glad to help.

  • 2 accepted solutions
  • 754 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!