Troubleshooting Tip: How to troubleshoot an Unknown CA error for a managed FortiGate in FortiAIOps
| Description | This article describes a communication issue between FortiGate and FortiAIOps caused by an Unknown CA error. When FortiAIOps attempts to discover or manage a FortiGate, the connection may fail due to certificate validation. The error indicates that the certificate presented by FortiGate is signed by a Certificate Authority that is not trusted in FortiAIOps. |
| Scope | FortiOS (all versions) and FortiAIOps (all versions). |
| Solution | Communication between FortiAIOps and FortiGate is secured using SSL/TLS encryption. FortiAIOps can successfully discover a FortiGate only when the certificate installed on the FortiGate is trusted. If the certificate is signed by an unknown Certificate Authority (CA), the discovery process will fail, and an 'Unknown CA' error will be displayed.
To resolve this issue, download the HTTPS CA certificate from the FortiGate and import it into FortiAIOps. In the FortiGate GUI, go to System -> Settings and select 'Download HTTPS CA Certificate'.
In the FortiAIOps GUI, go to System -> CA Certificates -> Install CA Certificate and upload the downloaded CA certificate.
After the CA certificate is successfully installed in FortiAIOps, the managed FortiGate is discovered successfully, and the status changes to Online.
It may take several minutes for FortiAIOps to retry the connection. If the issue persists, remove the FortiGate from FortiAIOps and add it again. |
