Import the Root cert of the MS CA into the Palo Alto Networks.
Go to
https://server_ip/certsrv (where server_ip is the IP or
DNS name of the Windows Server that is running the MS Certificate Authority)
Click the link Download a CA Certificate, certificate chain or CRI
Select the format Base64
Click the link Download CA certificate
On the Palo Alto Networks firewall, go to Device→Certificate→Import
Select File
Set Certificate name to something meaningful (e.g. my_domain.local)
Click Okay
Select Certificate from the list and tick 'Trusted Root CA'.
Generate a certificate signing request (CSR) that is to be signed by External authority. Add all the extra info as needed.
Export the CSR using the Export button in the Palo
GUI-
Click Request certificate
Click Advanced Certificate request
Set Certificate template to Subordinate Certificate Authority
Paste in the text from the CSR files and click Submit
Click Base64 encoded.
Download the Certificate
Download the certificate chain
On the Palo
GUI, go to
Device→Certificate and click
Import.
Select the Certificate you just downloaded from server_ip.
Make sure you set the value of Certificate Name to be identical to that of the CSR entry.
Now you can generate a SSL_Decrypt certificate or any other 'trusted' certificate on the Palo using your newly signed subordinate CA certificate.
Don't forget to set your Decryption policies under the Policy tab and the Decryption profile under the Objects tab. Also, don't forget to create a self-signed untrust certificate.