SSL Deployments

Hi,
I am new in HAProxy and I have in our quality environment a scenario that works great without ssl.
Now, I want to test with SSL. My scenario is:
OS: Alpine Linux 3.12 (Linux Kernel 5.4.43-1-lts).
HAProxy: 2.1.4

I have read the HAProxy Deployment guide - Infrastructure Layouts Involving TLS - I have tested the SSL/TLS pass-through mode and seem that works more or less well but in the browser the certificate is highlighted like no valid. If I access to web server directly the certificate is considered valid.

Have I to add the FQDN of the HAProxy server in the SAN attribute of the web server certificate?

The other option that I have considered is the SSL/TLS bridging or re-encryption mode. If I have understood well, I need the web server certificate and the private key merged in the same .pem file. Although I am able to generate the certificates for our web servers I am not have the private key (we are CA). So, I can not use this mode, right?

thanks.

update:
I have tried with SSL/TLS bridging or re-encryption mode. I have generated the csr & private key in the haproxy server like:

openssl req -newkey rsa:4096 -keyout privatekey.key -out haproxy.csr

I have generated the certificate from the csr and I have merged with Intermediated & Root certificate like:

-----BEGIN CERTIFICATE-----
certificate haproxy server
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
intermediate certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
root ca certificate
-----END CERTIFICATE-----
-----BEGIN ENCRYPTED PRIVATE KEY-----
private key
-----END ENCRYPTED PRIVATE KEY-----

now, when I access, I got that the certificate is not valid and when I open the certificate from the browser in “Certificate Path” say “This Certificate is OK”

do you have some idea why the browser say me that it is not valid?
other thing that I have noted is when I restart the haproxy service, I am asked by the Enter PEM pass phrase, how can I avoid this?

thanks for the help.

note:
for not ask about the pass phrase:

openssl rsa -in privatekey_with_pass.key -out privatekey.key

Fixed.
the root cause was that the certificate had not a san attribute. when I have added the san attribute in the csr the browse show like certificate valid.