====== Create Certificate with Microsoft PKI ======
  - Import the Root cert of the MS CA into the Palo Alto Networks.
  - Go to ''https://server_ip/certsrv'' (where server_ip is the IP or DNS name of the Windows Server that is running the MS Certificate Authority)
  - Click the link ''Download a CA Certificate, certificate chain or CRI''
  - Select the format ''Base64''
  - Click the link ''Download CA certificate''
  - On the Palo Alto Networks firewall, go to ''Device->Certificate->Import''
  - Select File
  - Set Certificate name to something meaningful (e.g. my_domain.local)
  - Click Okay
  - Select Certificate from the list and tick 'Trusted Root CA'.
  - Generate a certificate signing request (CSR) that is to be signed by External authority. Add all the extra info as needed.
  - Export the CSR using the Export button in the Palo GUI
  - Go to ''https://server_ip/certsrv''
  - Click ''Request certificate''
  - Click Advanced Certificate request
  - Set Certificate template to Subordinate Certificate Authority
  - Paste in the text from the CSR files and click Submit
  - Click ''Base64 encoded''.
  - Download the Certificate
  - Download the certificate chain
  - On the Palo GUI, go to ''Device->Certificate'' and click ''Import''.
  - Select the Certificate you just downloaded from ''server_ip''.
  - Make sure you set the value of ''Certificate Name'' to be identical to that of the CSR entry.
  - Now you can generate a SSL_Decrypt certificate or any other 'trusted' certificate on the Palo using your newly signed subordinate CA certificate.
  - Don't forget to set your Decryption policies under the Policy tab and the Decryption profile under the Objects tab. Also, don't forget to create a self-signed untrust certificate.