SSL Decryption CertificatesTech Note0BOverviewThe Palo Alto Networks security gateway is capable of decrypting outbound SSL connections for the purpose of providing visibility and control of the trafc, without compromising the security or privacy of the trafc. This action is off by default and can be enabled selectively by policy, including source, destination, and URL category. To accomplish this, the Palo Alto device proxies the SSL connection, terminating the connection from the client and re-establishing the SSL connection to the destination server. Trafc in the SSL connection is then identied by application for visibility and control, but re-encrypted to ensure continued privacy and security.This document is intended to provide an overview of how to manage SSL certicates for the purpose of using the Palo Alto Networks security device for decrypting and inspecting outgoing SSL trafc, as well as loading the public certicate into the users’ browser as a trusted root certicate to avoid certicate mis-match warning messages.1BLocal Certificate AuthorityIn order to decrypt the SSL sessions, a CA certicate is required. This certicate is used to generate certicates for each SSL destination. By default, a self-signed certicate is used. Because this certicate is not a “Trusted CA”, browsers and other applications will give the users a warning indicating that the identity of site they are accessing could not be veried. The browsers can be congured to trust the CA certicate by importing it into the browser. Alternatively, an already trusted CA cert that is used in the enterprise can be installed into the device for use in the SSL decryption process. The following sections will describe common ways to load certicates into the Palo Alto Networks device, how to load trusted CA certicates into a user’s browser manually, and how to use Microsoft’s Active Directory Group Policy Object tool to automatically load the CA certicate into Windows for use by Internet Explorer.