AWS PA, error on SSL forward decrypt

Showing results for 
Show  only  | Search instead for 
Did you mean: 

AWS PA, error on SSL forward decrypt

Dear all

I am trying to configure SSL inspection on a Palo Alto in AWS.

Despite the configuration with client certificate and device CA and SubCA is (as far as I can verify) the same as the one on the on-premises environment, I still get errors like.

Received a fatal warning CertificateUnknown from the client.

Received a fatal warning UnknownCA from the client

PanOS is 10.2.4-h2


still tried this but cannot be the solution (and it does not help at all)

Repair Incomplete Certificate Chains (

on reddit is a similar article but following this,the issue should be solved with PanOS10.2.3


L1 Bithead


Please double-check the imported certificate chain, including the client certificate and all necessary intermediate/subordinate CAs, to ensure proper SSL inspection configuration. Verify that the CA issuing the client certificate is trusted on the Palo Alto device. 

  • 1 replies
  • 85 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!