Commit Error "forward decrypt trust cert is not configured" after Configuring SSL Decryption for Certificate Generation

Commit Error "forward decrypt trust cert is not configured" after Configuring SSL Decryption for Certificate Generation

59537
Created On 09/25/18 19:38 PM - Last Modified 06/15/23 21:26 PM


Symptom


  • Certificate Generated during SSL Decryption configuration.
  • During commit Process, error "forward decrypt trust cert is not configured" message is seen


Environment


  • Palo Alto Firewalls.
  • PAN-OS 8.1 and above.
  • Certificate Configuration.


Cause


SSL decryption requires a certificate for forward proxy. The certificate generated is not marked as "forward Trust certificate".

Resolution


Use the following process to correctly generate and mark the certificate for SSL decryption.
  1. Create a self generated certificate with 'Certificate Authority' checked under GUI: Device > Certificate Management > Certificates > Generate:
    Device Certificate
  2. Once generated, open the certificate (GUI: Device > Certificate Management > Certificates) and check for Forward Trust Certificate

    Forward Trust Certificate
  3. After clicking OK, the certificate store should look like the following:
    Certificate Store
  4. Repeat the same process for generating and marking "Forward Untrust Certificate".  Use different certificates as "Forward Trust Certificate" and  "Forward Untrust Certificate" for SSL decryption.
  5. The commit should now be successful.

 

 



Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clb7CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language