Do your security and compliance requirements prevent you from storing Transport Layer Security (TLS) private keys directly on your Prisma® Access service infrastructure for SSL decryption? This feature allows you to integrate with AWS CloudHSM or an on-premises hardware security module (HSM) solution to store and manage the issuing Certificate Authority (CA) private keys externally, enhancing the security of your cryptographic operations. The SSL decryption functionality on Prisma Access mandates that you bring your own public key infrastructure (PKI) to the platform or create a new self-signed PKI within Prisma Access. This feature requires an issuing CA or forward trust certificate (consisting of public and private keys) to generate new certificates for visited sites and domains. Prisma Access requires that all cryptographic secrets, including the TLS certificate private keys needed for SSL decryption, are stored inside the configuration file that resides on the Prisma Access service infrastructure and on each SPN that is part of the tenant. Some Prisma Access customers prefer not to provide the TLS private keys on PA infrastructure or reside on PA SPNs for SSL decryption operations (security and compliance requirements).