# TLS Inspection (Sub CA) Certificate

{% hint style="warning" %}
SCEPman Enterprise Edition only
{% endhint %}

{% hint style="info" %}
This feature requires version **2.4** or above
{% endhint %}

In some use cases, you may need to issue a Sub CA of SCEPman RootCA (e.g. for a firewall to inspect TLS traffic), in this form, you can manually generate a Sub CA with **Server Authentication** as EKU. The PKCS#12 file is encrypted with the password shown on the screen. You can import the PKCS#12 directly to the system where it is needed using the password.

{% hint style="warning" %}
Be aware that once you navigate away from this page, the password will no longer be accessible.
{% endhint %}

<figure><img src="https://2535731700-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LoGejQeUQcw7lqnQ3WX%2Fuploads%2FcQwgKmyjxqomYXHZfnii%2Fimage.png?alt=media&#x26;token=24751248-98ea-42ab-a70e-4104de1c526a" alt=""><figcaption></figcaption></figure>