Import the Root cert of the MS CA into the Palo Alto Networks.

Go to https://server_ip/certsrv (where server_ip is the IP or DNS name of the Windows Server that is running the MS Certificate Authority)

Click the link Download a CA Certificate, certificate chain or CRI' - Select the format Base64 - Click the link Download CA certificate - On the Palo Alto Networks firewall, go to Device→Certificate→Import - Select File - Set Certificate name to something meaningful (e.g. my_domain.local) - Click Okay - Select Certificate from the list and tick 'Trusted Root CA'. - Generate a certificate signing request (CSR) that is to be signed by External authority. Add all the extra info as needed. - Export the CSR using the Export button in the Palo GUI - Go to https://server_ip/certsrv - Click Request certificate - Click Advanced Certificate request - Set Certificate template to Subordinate Certificate Authority - Paste in the text from the CSR files and click Submit - Click Base64 encoded. - Download the Certificate - Download the certificate chain - On the Palo GUI, go to Device→Certificate and click Import. - Select the Certificate you just downloaded from server_ip. - Make sure you set the value of Certificate Name'' to be identical to that of the CSR entry.

Now you can generate a SSL_Decrypt certificate or any other 'trusted' certificate on the Palo using your newly signed subordinate CA certificate.

Don't forget to set your Decryption policies under the Policy tab and the Decryption profile under the Objects tab. Also, don't forget to create a self-signed untrust certificate.