https://live.paloaltonetworks.com/t5/general-topics/acme-and-ssl-decryption/m-p/1226609#M124003 <P>Hello,</P> <P>Yes an expired certificate will give users with cert errors. If you have internal certificate servers for active directory, use that instead since all the machines will already trust it. You can generate a self signed certificate from the firewall and copy it to all the clients so they accept it.</P> <P>&nbsp;</P> <P>Regards,</P> Tue, 15 Apr 2025 18:53:04 GMT OtakarKlier 2025-04-15T18:53:04Z https://live.paloaltonetworks.com/t5/general-topics/acme-and-ssl-decryption/m-p/1226498#M123982 <P>So i recently got wind of this:</P> <P>&nbsp;</P> <P><A href="https://www.thesslstore.com/blog/47-day-ssl-certificate-validity-by-2029/" target="_blank">https://www.thesslstore.com/blog/47-day-ssl-certificate-validity-by-2029/</A></P> <P>&nbsp;</P> <P>acme.sh and/or certbot takes care of the servers, but won't this break existing SSL decryption rules?</P> <P>Any strategies/workarounds for this? tia</P> <P>&nbsp;</P> Tue, 15 Apr 2025 02:25:34 GMT https://live.paloaltonetworks.com/t5/general-topics/acme-and-ssl-decryption/m-p/1226498#M123982 itassetbenilde 2025-04-15T02:25:34Z https://live.paloaltonetworks.com/t5/general-topics/acme-and-ssl-decryption/m-p/1226609#M124003 <P>Hello,</P> <P>Yes an expired certificate will give users with cert errors. If you have internal certificate servers for active directory, use that instead since all the machines will already trust it. You can generate a self signed certificate from the firewall and copy it to all the clients so they accept it.</P> <P>&nbsp;</P> <P>Regards,</P> Tue, 15 Apr 2025 18:53:04 GMT https://live.paloaltonetworks.com/t5/general-topics/acme-and-ssl-decryption/m-p/1226609#M124003 OtakarKlier 2025-04-15T18:53:04Z