Resolved! SSL certificate for passive firewall
There is an active passive pair having SSL certificate (management only) with different CNAMES (its own management IP).
While the CSR generation and certificate import (signed by ECA) is successful on active peer, the CSR generated on passive peer is
...