Technical Tip: How to change the CA certificate on a 'read-only' certificate inspection profile

Description

This article describes how to change the CA certificate used on a 'read-only' certificate inspection profile.

While changing the default 'Fortigate_CA_SSL' on the read-only certificate inspection profile, it ends up in error:

Cannot modify the read-only factory default profiles!
object set operator error, -657 discard the setting.

Scope

FortiGate.

Solution

It is recommended to clone or create a new SSL SSH profile rather than editing a read-only profile.
This is only recommended if there was a CA used in this profile in the past and has expired.

1. Double-check that the local certificate 'Fortinet_CA_SSL' is in the FortiGate.

config vpn certificate local
get <-- it displays only the names of all certificates

Or:

show

2. Create a CLI script: Go to Security Fabric -> Automation > Trigger and select 'Create New'.

• Choose trigger type: Schedule.
• Provide a Name.
• Frequency: Daily.
• Trigger Hour: 0.
• Trigger Minute: 1.
• SELECT 'OK'.

• Choose action type: CLI Script.
• Provide a Name.
• Enter the script.

 

config firewall ssl-ssh-profile

    edit certificate-inspection

        set caname <input the CA willing to be used> <----- For example Fortinet_CA_SSL.

end

 

• Select the administrator profile to use when executing the CLI script.
• SELECT 'OK'.

• Provide a Name.
• Chose Trigger.
• Chose Action.
• SELECT 'OK'.

 

 

  3. Go to Security Fabric -> Automation.  This script will be found under 'Schedule': Simply select it and do 'Test Automation Stitch'.

Disable it once it is successfully triggered.

 

 

8. Check changes ssl-ssh-profile via CLI on the FortiGate

 

config firewall ssl-ssh-profile
    edit "certificate-inspection"
get <-- or show.

 

9. The set name 'Fortinet_CA_SSL' will be visible.

 

Note:

This is for a very specific test case. Consider instead creating a new inspection profile that can be edited as needed, when needed.