Using Panorama 6.0.0 Followed the work instruction here: How to Generate a CSR and Import the Signed CA Certificate I create the certificate signing request populating all required parameters I am using Venafi for certificate management. Venafi enforces a certificate policy so all my certificates have correct parameters when they are issued. It includes some parameters that differ from the parameters in the CSR. Unless the parameters match exactly the certificate does not import correctly. There is no way to make them explicitly match up when you attempt to add a Subject Alternate Name field (for use with DNS aliases and/or NAT'ed management interfaces, for example). I am left with the choice to violate certificate policy, or to not have internally signed certificates on Panorama. The Panorama host CSR generation tool does not accept the signed certificate if any parameters are different. Will there be a way to associate the CSR to an imported certificate? Will there be a way to add freeform x509 attributes to the CSR? I got this working, and Panorama validated the CSR using the imported-but-non-compliant-certificate. I committed and saved the configuration, however the certificate still displays as self-signed to a new browser session when managing the target device. Is a reboot or other poke of Panorama required? ... View more