Customer bought a wildcard certificate *.xxx.it that was issued by a trusted CA. The certification chain was like this: Digicert Root CA --> Thawte----> wildcard certificate.
He wanted to use this certificate for SSL decryption, but it was not working.
Firstly we have checked the wildcard certificate.
We can clearly see that the wildcard certificate is not a CA certificate.
Looking in the documentation, we can see that the SSL decryption certificate must be a CA certificate that has pubic-private key pair, so it can reissue server certificates.
You can recognize a CA certificate, by looking at the certificate detail on the firewall:
Customer cannot use the wildcard certificate as SSL decryption certificate. He can use it for management purpose of the firewall, by replacing the build-in server certificate, with this wildcard certificate.