How does a firewall administrator that creates a certificate on the firewall mark it for use in an SSL Forward Proxy configuration?

add a certificate tag in the Decryption policy rule
configure a trust certificate in the Decryption Profile
set the Forward Trust Certificate property of the certificate itself
map the certificate to the URL in the SSL/TLS Service Profile