04-26-2019 12:22 AM
Hello.
I'm having an issue with a setup of decryption.
we have a custoemr who wants decryption. and they also have an entreprise CA.
to have the least user impact they wanted to use an entreprise signed certificate for their ssl forward trust.
I created a certificate as explained on palo alto resources
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSxCAK
https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/decryption/configure-ssl-forward-proxy
so far so good.
I sent the csr to our customer.
when I got it back( .cer) file I got an issue because it was not base 64 encoded. but could resolve it via this link:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGSCA0
afterwards I managed to get the certificate uploaded.
however:
for the certificate the "key" checkbox is checked, but the "ca" checkbox is not. --> despite PA resources telling me it should be checked after the import(see first link step 3.4.d
when opening the certificate all options( ssl forward trust, untrust, etc are greyed out. the only option I can select is "certificate for secure syslog"
I'm starting to think the issue lies with the entreprise CA. or how teh certificate was signed. but wanted to make sure. perhaps someone on this forum knows more?
