Due to the nature of the TAP interface, ssl decryption can only be performed for inbound ssl connections to a server whose certificate has been loaded onto the firewall, including the private key, which it can then use to terminate the ssl session and decrypt the traffic. This only works when the Decryption is performed passively, which would be when non-PFS key exchange algorithms are used in PAN-OS 10.0 or below.
In PAN-OS 10.1 and above, all Inbound Decryption is performed as a man-in-the-middle proxy, so TAP interfaces are not supported.
For outbound connections however, the server's private key of the certificate is not known and the MitM approach cannot be used as the TAP interface is unable to send out packets. So ssl decryption in this direction is unsupported.