How to Install a Palo Alto Network Firewall Forward Trust Root Certificate on the Windows Certificate Store
Resolution
Overview
When performing a SSL Decryption on the Palo Alto Networks firewall (while trying to access a HTTPS site through a browser) it shows as a untrusted certificate warning. After manually adding an exception to the certificate, the connection becomes successful. This becomes difficult when using different browsers and trying to add an exception for all. Also, when clicking on any tab of the site the URL gets redirected to another site, and the user receives a certificate warning prompt again. By adding the Forward Trust Root certificate in the Windows certificate authority store, it can bypass the untrusted certificate warning while using any browser in the local machine.
Steps
- Export the Forward Trust certificate in PKCS12 and PEM format from the Palo Alto Network firewall. Issue a passphrase of 6 characters to ensure authenticity while importing the certificate in the store:
- Install the exported certificate into the Windows certificate store using the Microsoft Management Console (MMC).
To launch the MMC, go to Start, click Search, type "mmc", and press Enter. Use the Certificates snap-in to import the Forward Trust Root certificate.
For more information about the MMC, see the TechNet library on the Microsoft website.
Note: This is applicable only for Internet Explore and Google Chrome, which uses the default Windows certificate store. For Firefox, the certificate will still need to be imported into the Firefox certificate store. If an "Error : (Error code: sec_error_untrusted_issuer)" is encountered on Firefox, see After Configuring SSL Decryption Mozilla Firefox Presents Certificate Error
See Also
How to Implement Certificates Issued from Microsoft Certificate Services
owner: dantony