So I'm installing new user-ID agents on new DC's and from everything I've read so far, palo didn't provide correct builtin certs. And the answer is to create new (self signed / microsoft CA certs) and use those. Which of course their's no instructions for what really needs to get done.

So if I understand it correctly I need to have the palo create a cert request, have it filled by my CA.. As well as for each DC. then convert it to PEM so I can get it into each of these. And since my palo is in HA (active/passive) I need a cert for each one? right.

And then on the CA side of things (which I'm sure is outside of the PAlo side of things (I have a XXX.local for internal stuff, but then externally I have a xxx.org (which is also used for some internal servers that arent' externally available. Can my CA even give out certs for it? (I'm sure I can get around it, but it makes everything weird as the palo has it's hostname as the .org for several of it's settings..