We had an issue with the VPN to our lab yesterday, so I got to learn a ton about managing certs on a PAN NGFW. :smug:
Key takeaways - you really want someone who knows good PKI practices to handle certs. When they're all in there ad hoc, things expire and then other things break.