SSL Decryption for Elliptical Curve Cryptography (ECC) Certificates
The firewall automatically decrypts SSL traffic from
websites and applications using ECC certificates, including Elliptical
Curve Digital Signature Algorithm (ECDSA) certificates. As organizations
transition to using ECC certificates to benefit from the strong
keys and small certificate size, you can continue to maintain visibility
into and safely enable ECC-secured application and website traffic.
Decryption for websites and applications using ECC certificates
is not supported for traffic that is mirrored to the firewall; encrypted traffic
using ECC certificates must pass through the firewall directly for
the firewall to decrypt it.
You can use a hardware security module (HSM) to store
the private keys associated with ECDSA certificates. For TLSv1.3
traffic, PAN-OS supports HSMs only for SSL Forward Proxy. It does
not support HSMs for SSL Inbound Inspection.