Migrating from Panorama to SCM, ECDSA certificate for trusted, untrusted certificate added automatically and caused some URLs access failure.

Migrating from Panorama to SCM, ECDSA certificate for trusted, untrusted certificate added automatically and caused some URLs access failure.

940
Created On 11/28/24 05:25 AM - Last Modified 10/17/25 19:43 PM


Symptom


• Frequent browser errors on client devices.
• The customer had migrated Prisma Access management from Panorama to SCM.
• Client devices had the RSA certificate since it has been used since the Panorama managed Prisma Access, but not "Forward-Trust-CA-ECDSA."

Environment


**Product_versions**
• Prisma Access
• Panorama
• SCM

Cause


The customer's SCM was configured to use "Forward-Trust-CA-ECDSA" for ECDSA decrypting, but this certificate was not distributed to client devices. Since client devices trusted the RSA certificate but not "Forward-Trust-CA-ECDSA", they experienced browser errors. This incompatibility arose from the migration from Panorama to SCM, where SCM requires using both RSA and ECDSA certificates for decrypting.

Resolution


There are two solution for this symptom.

  1. distribute  "Forward-Trust-CA-ECDSA" certificate to client devices
  2. remove ECDSA decrypting settings via SCM > Manage > Configuration > NGFW and Prisma Access > Security Services > Decryption > Decryption Settings. Then click on 'X' next to "Forward-Trust-CA-ECDSA".
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HEYwCAO&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail