SSL Decryption for Elliptical Curve Cryptography (ECC) Certificates

The firewall automatically decrypts SSL traffic from websites and applications using ECC certificates, including Elliptical Curve Digital Signature Algorithm (ECDSA) certificates. As organizations transition to using ECC certificates to benefit from the strong keys and small certificate size, you can continue to maintain visibility into and safely enable ECC-secured application and website traffic.
Decryption for websites and applications using ECC certificates is not supported for traffic that is mirrored to the firewall; encrypted traffic using ECC certificates must pass through the firewall directly for the firewall to decrypt it.
You can use a hardware security module (HSM) to store the private keys associated with ECDSA certificates. For TLSv1.3 traffic, PAN-OS supports HSMs only for SSL Forward Proxy. It does not support HSMs for SSL Inbound Inspection.

Recommended For You