diff --git a/dev/ssldecrypt/config.go b/dev/ssldecrypt/config.go
index 70fc821f..eea07093 100644
--- a/dev/ssldecrypt/config.go
+++ b/dev/ssldecrypt/config.go
@@ -137,9 +137,10 @@ type sdec struct {
 }
 
 type sdecEntry struct {
-	Name        string `xml:"name,attr"`
-	Description string `xml:"description,omitempty"`
-	Exclude     string `xml:"exclude"`
+	XMLName     xml.Name `xml:"entry"`
+	Name        string   `xml:"name,attr"`
+	Description string   `xml:"description,omitempty"`
+	Exclude     string   `xml:"exclude"`
 }
 
 func specify_v1(e Config) interface{} {
diff --git a/dev/ssldecrypt/fw.go b/dev/ssldecrypt/fw.go
index a6840a9e..d1694373 100644
--- a/dev/ssldecrypt/fw.go
+++ b/dev/ssldecrypt/fw.go
@@ -40,6 +40,40 @@ func (c *Firewall) DeleteTrustedRootCa(vsys, name string) error {
 	return err
 }
 
+// SetSslDecryptExcludeCertificate adds a SSL decrypt exclude certificate.
+func (c *Firewall) SetSslDecryptExcludeCertificate(vsys string, e SslDecryptExcludeCertificate) error {
+	c.ns.Client.LogAction("(set) %s ssl decrypt exclude certificate: %s", singular, e.Name)
+
+	path, err := c.xpath(vsys)
+	if err != nil {
+		return err
+	}
+	path = append(path, "ssl-exclude-cert")
+
+	ei := sdecEntry{
+		Name:        e.Name,
+		Description: e.Description,
+		Exclude:     util.YesNo(e.Exclude),
+	}
+
+	_, err = c.ns.Client.Set(path, ei, nil, nil)
+	return err
+}
+
+// DeleteSslDecryptExcludeCertificate removes a SSL decrypt exclude certificate.
+func (c *Firewall) DeleteSslDecryptExcludeCertificate(vsys, name string) error {
+	c.ns.Client.LogAction("(delete) %s ssl decrypt exclude certificate: %s", singular, name)
+
+	path, err := c.xpath(vsys)
+	if err != nil {
+		return err
+	}
+	path = append(path, "ssl-exclude-cert", util.AsEntryXpath([]string{name}))
+
+	_, err = c.ns.Client.Delete(path, nil, nil)
+	return err
+}
+
 // Get performs GET to retrieve configuration for the given object.
 func (c *Firewall) Get(vsys string) (Config, error) {
 	ans := c.container()
diff --git a/dev/ssldecrypt/pano.go b/dev/ssldecrypt/pano.go
index 22bed3bd..b092a373 100644
--- a/dev/ssldecrypt/pano.go
+++ b/dev/ssldecrypt/pano.go
@@ -40,6 +40,40 @@ func (c *Panorama) DeleteTrustedRootCa(tmpl, ts, vsys, name string) error {
 	return err
 }
 
+// SetSslDecryptExcludeCertificate adds a SSL decrypt exclude certificate.
+func (c *Panorama) SetSslDecryptExcludeCertificate(tmpl, ts, vsys string, e SslDecryptExcludeCertificate) error {
+	c.ns.Client.LogAction("(set) %s ssl decrypt exclude certificate: %s", singular, e.Name)
+
+	path, err := c.xpath(tmpl, ts, vsys)
+	if err != nil {
+		return err
+	}
+	path = append(path, "ssl-exclude-cert")
+
+	ei := sdecEntry{
+		Name:        e.Name,
+		Description: e.Description,
+		Exclude:     util.YesNo(e.Exclude),
+	}
+
+	_, err = c.ns.Client.Set(path, ei, nil, nil)
+	return err
+}
+
+// DeleteSslDecryptExcludeCertificate removes a SSL decrypt exclude certificate.
+func (c *Panorama) DeleteSslDecryptExcludeCertificate(tmpl, ts, vsys, name string) error {
+	c.ns.Client.LogAction("(delete) %s ssl decrypt exclude certificate: %s", singular, name)
+
+	path, err := c.xpath(tmpl, ts, vsys)
+	if err != nil {
+		return err
+	}
+	path = append(path, "ssl-exclude-cert", util.AsEntryXpath([]string{name}))
+
+	_, err = c.ns.Client.Delete(path, nil, nil)
+	return err
+}
+
 // Get performs GET to retrieve configuration for the given object.
 func (c *Panorama) Get(tmpl, ts, vsys string) (Config, error) {
 	ans := c.container()