https://live.paloaltonetworks.com/t5/general-topics/csr-certificate-issue/m-p/300945#M78600 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/105432">@karthikeyanB</a>,</P><P>Generating the CSR from the firewall or generating it from a server doesn't matter, as long as you input the proper information either one works perfectly fine. The advantage to generating the CSR on a server is that you can add multiple SANs, which may be exactly why they did it that way in the first place.&nbsp;</P> Wed, 27 Nov 2019 04:12:25 GMT BPry 2019-11-27T04:12:25Z https://live.paloaltonetworks.com/t5/general-topics/csr-certificate-issue/m-p/300750#M78563 <P>Hello Team,</P><P>&nbsp;</P><P>Three year before ,One of my customer is generated the certificate from linux machine and sent it to comodo for third party sign.</P><P>Now they got new palo alto firewall and he is trying to install that certificate on palo alto but while installing certificate we are facing "Mismatched Public and Private keys"&nbsp;<BR /><BR /></P><P>I have one more doubt that, in order for creating a External CA signed certificate. What is the proper way to achieve it whether by generating the CSR from a Linux machine (or) CSR that generated by the PA Firewall itself. Do clarify me on the same. Thanks in advance !!</P><P>&nbsp;</P><P>Best Regards,</P><P>Karthikeyan Balamurugan</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Regards</P><P>Karthikeyan Balamurugan</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 26 Nov 2019 11:53:33 GMT https://live.paloaltonetworks.com/t5/general-topics/csr-certificate-issue/m-p/300750#M78563 karthikeyanB 2019-11-26T11:53:33Z https://live.paloaltonetworks.com/t5/general-topics/csr-certificate-issue/m-p/300818#M78576 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/105432">@karthikeyanB</a>&nbsp;</P><P>&nbsp;</P><P>Definitely creating the CSR on the FW is the correct way to do it.</P><P>&nbsp;</P><P>If the error is mismatched private/public keys, then... they will need to export the cert AND the private key, and import on the FW.</P><P>&nbsp;</P><P>To be fair, I think the best thing to do,.. create the CSR on the FW and ask Comodo to sign it. As they have already paid for the cert, I do not see Comodo pushing back on this request... I have lost my certificate signing requests before and create a new one with out issue.</P><P>Granted.. it would have to be identical name/CN to for it to be re-signed at no charge.</P> Tue, 26 Nov 2019 18:18:43 GMT https://live.paloaltonetworks.com/t5/general-topics/csr-certificate-issue/m-p/300818#M78576 S.Cantwell 2019-11-26T18:18:43Z https://live.paloaltonetworks.com/t5/general-topics/csr-certificate-issue/m-p/300945#M78600 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/105432">@karthikeyanB</a>,</P><P>Generating the CSR from the firewall or generating it from a server doesn't matter, as long as you input the proper information either one works perfectly fine. The advantage to generating the CSR on a server is that you can add multiple SANs, which may be exactly why they did it that way in the first place.&nbsp;</P> Wed, 27 Nov 2019 04:12:25 GMT https://live.paloaltonetworks.com/t5/general-topics/csr-certificate-issue/m-p/300945#M78600 BPry 2019-11-27T04:12:25Z