Import the Root cert of the MS CA into the Palo Alto Networks.

Go to https://server_ip/certsrv (where server_ip is the IP or DNS name of the Windows Server that is running the MS Certificate Authority)

Click the link Download a CA Certificate, certificate chain or CRI

Select the format Base64

Click the link Download CA certificate

On the Palo Alto Networks firewall, go to Device→Certificate→Import

Select File

Set Certificate name to something meaningful (e.g. my_domain.local)

Click Okay

Select Certificate from the list and tick 'Trusted Root CA'.

Generate a certificate signing request (CSR) that is to be signed by External authority. Add all the extra info as needed.

Export the CSR using the Export button in the Palo GUI

Go to https://server_ip/certsrv

Click Request certificate

Click Advanced Certificate request

Set Certificate template to Subordinate Certificate Authority

Paste in the text from the CSR files and click Submit

Click Base64 encoded.

Download the Certificate

Download the certificate chain

On the Palo GUI, go to Device→Certificate and click Import.

Select the Certificate you just downloaded from server_ip.

Make sure you set the value of Certificate Name to be identical to that of the CSR entry.

Now you can generate a SSL_Decrypt certificate or any other 'trusted' certificate on the Palo using your newly signed subordinate CA certificate.

Don't forget to set your Decryption policies under the Policy tab and the Decryption profile under the Objects tab. Also, don't forget to create a self-signed untrust certificate.