topic Re: Generating SSL Decryption Forward Trust Cert for an HA Pair via Panorama? in General Topics https://live.paloaltonetworks.com/t5/general-topics/generating-ssl-decryption-forward-trust-cert-for-an-ha-pair-via/m-p/302768#M78876 <P>Hello there.</P><P>&nbsp;</P><P>I would have presumed that your CN or Common Name is either IP or FQDN name (which both FW would synch between them)</P><P>So in your template, your inside IP for both FWs is the same.. ( right??? ) and the FDQN name (if you used this for your CN) is the same on both FWs.</P><P>&nbsp;</P><P>I guess, I am trying to determine if you used a wildcard cert on ALL firewalls?</P><P>&nbsp;</P><P>So no, it should not be a problem to push the cert to both FWs.</P><P>&nbsp;</P><P>Are there any other details that would create a difference (SNs are not included in differences).</P><P>&nbsp;</P><P>Also, what is your methodology to get the cert onto all end user browsers (IE, Edge, Chrome, Firefox, Safari, Opera, etc)</P><P>Please advise.</P> Mon, 09 Dec 2019 19:53:53 GMT S.Cantwell 2019-12-09T19:53:53Z Generating SSL Decryption Forward Trust Cert for an HA Pair via Panorama? https://live.paloaltonetworks.com/t5/general-topics/generating-ssl-decryption-forward-trust-cert-for-an-ha-pair-via/m-p/302736#M78874 <P><SPAN>I've successfully rolled out SSL Decryption on a bunch of non-HA firewalls via Panorama. Generating the .CSR, signing it with my CA, and then importing the .CER but I'm wondering if this is going to work with my HA Pair because I'm guessing that I'll have to have two different certs because there's two different physical boxes. Has anyone done this before?</SPAN></P> Mon, 09 Dec 2019 18:53:31 GMT https://live.paloaltonetworks.com/t5/general-topics/generating-ssl-decryption-forward-trust-cert-for-an-ha-pair-via/m-p/302736#M78874 Thomas_Dzubin 2019-12-09T18:53:31Z Re: Generating SSL Decryption Forward Trust Cert for an HA Pair via Panorama? https://live.paloaltonetworks.com/t5/general-topics/generating-ssl-decryption-forward-trust-cert-for-an-ha-pair-via/m-p/302768#M78876 <P>Hello there.</P><P>&nbsp;</P><P>I would have presumed that your CN or Common Name is either IP or FQDN name (which both FW would synch between them)</P><P>So in your template, your inside IP for both FWs is the same.. ( right??? ) and the FDQN name (if you used this for your CN) is the same on both FWs.</P><P>&nbsp;</P><P>I guess, I am trying to determine if you used a wildcard cert on ALL firewalls?</P><P>&nbsp;</P><P>So no, it should not be a problem to push the cert to both FWs.</P><P>&nbsp;</P><P>Are there any other details that would create a difference (SNs are not included in differences).</P><P>&nbsp;</P><P>Also, what is your methodology to get the cert onto all end user browsers (IE, Edge, Chrome, Firefox, Safari, Opera, etc)</P><P>Please advise.</P> Mon, 09 Dec 2019 19:53:53 GMT https://live.paloaltonetworks.com/t5/general-topics/generating-ssl-decryption-forward-trust-cert-for-an-ha-pair-via/m-p/302768#M78876 S.Cantwell 2019-12-09T19:53:53Z