SSL Offloading 'Forward Trust' grayed out

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

SSL Offloading 'Forward Trust' grayed out

Not applicable

Hi,

I have created a certificate from my local CA and also have imported the CSR from PA to the local CA, created the

identity certificate, all is well, but it seems I am not able to "Check Box" the "Forward Trust Certificate" on the  PA.Device Certificate.jpg

Forward trust certificate.jpg

This it seems is a necessary step while configuring SSL offloading.

Any clues on what needs to be done ....

Please see attached.

Regards,

Tauseef

1 accepted solution

Accepted Solutions

L6 Presenter

Hi RZ,

If certificate is selfsigned Root Certificate then option for "Forward Trust Certificate" & "Foreard Untrust Certificate" are Enabled. For selfsigned Root Certificate refer following image.

Root_Cert.png

In your case you may not have checked option for Root Certificate. Apart from "self signed Root Cert", Suboardinate Root Certificate is supported for requested option.

Fore more information on SSL certificate refer bellow link. Go through Page 14 for certificate request.

PAN SSL Certificates

Regards,

Hardik Shah

View solution in original post

5 REPLIES 5

L6 Presenter

Hi RZ,

If certificate is selfsigned Root Certificate then option for "Forward Trust Certificate" & "Foreard Untrust Certificate" are Enabled. For selfsigned Root Certificate refer following image.

Root_Cert.png

In your case you may not have checked option for Root Certificate. Apart from "self signed Root Cert", Suboardinate Root Certificate is supported for requested option.

Fore more information on SSL certificate refer bellow link. Go through Page 14 for certificate request.

PAN SSL Certificates

Regards,

Hardik Shah

L6 Presenter

If certificate is not "self signed root CA" or "Subordinate Root CA" than it can not generate new certificate.

thats why non-Root CA cert doesnt work in decryption.

Hi,

I already have a local Microsoft Root CA in our Network.

Does this mean that I have to make my device PA as Sub-CA to this Root CA ??

If so, are there any documentation on how to make my PA a sub CA to my local Root CA ?

Regards

RZ

Not applicable

Also,

What way can I monitor or have an historical view of "SSL Decrypted" statistics.... ?

How can I know how many sessions are currently decrypted for which users and so on ?

Please advise

See the instructions in this document to use your MS CA with SSL decryption.

How to Implement Certificates Issued from Microsoft Certificate Services

You can check the general statistics using:

>debug sslmgr statistics

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 1 accepted solution
  • 6027 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!