Skip to main content
lol
Staff
lol
Staff
March 17, 2026

Technical Tip: How to list the in-use, trusted root CA certificates on a FortiGate from CLI

  • March 17, 2026
  • 0 replies
  • 398 views
Description This article describes how to list the trusted root CA certificates that are loaded by the fnbamd process on a FortiGate from the CLI.
Scope FortiGate.
Solution

The trusted root CA certificates on a FortiGate are published via the FortiGuard network and distributed in the certificate bundle.

 

To list the current certificate bundle present on the device the following command can be used:

 

get sys stat | grep Version:

diagnose autoupdate versions | grep -A7 'Certificate Bundle'

 

Example output:

 

FortiGate # get sys stat | grep Version:
Version: FortiGate-201F v7.4.11,build2878,260126 (GA.M)

FortiGate # diagnose autoupdate versions | grep -A7 'Certificate Bundle'
Certificate Bundle
---------
Version: 1.00062
Contract Expiry Date: n/a
Last Updated using manual update on Fri Jan 9 21:57:00 2026
Last Update Attempt: n/a
Result: Updates Installed

 

The process responsible for checking certificates and their validity is the 'fnbamd' process.

It loads the local certificate database to verify the trust chain.

To list all root CA certificates loaded by fnbamd, the following command can be used:

 

diagnose test application fnbamd 3

 

Parameter 3 means show all trusted root CA certificates loaded by fnbamd.

 

diagnose test application fnbamd
1. Show statistics
2. Show session list
3. Show CA list
4. Show CRL list
[...]

 

Certificates are stored locally on the FortiGate flash and can be listed with the following commands.

 

fnsysctl ls -al /etc/cert/
fnsysctl ls -al /etc/cert/ca
fnsysctl ls -al /etc/cert/crl/
fnsysctl ls -al /etc/cert/local
fnsysctl ls -al /etc/cert/remote
fnsysctl ls -al /tmp/cw_ca_list.pem

 

There can be a difference between certificates actively loaded by the fnbamd process and the certificates present on the filesystem.

The list of certificates on the flash may differ on different devices.

Even devices of the same model and firmware can have different certificates stored on the flash.

Some files can be left over from previous installations.

 

The file listing can therefore not be used to verify the certificates present on the system and/or loaded into fnbamd. To check what CA certificates FortiGate actively uses, use the command 'diagnose test application fnbamd 3'.

 

Examples:

 

FortiGate-A # fnsysctl ls -al /etc/cert/ca
...
lrwxrwxrwx 1 0 0 Mon Feb 2 12:09:07 2026 68 06dc52d5.0 -> /etc/cert/ca/root_SSL.com_EV_Root_Certification_Authority_RSA_R2.cer
-rw-r--r-- 1 0 0 Mon Feb 2 12:07:27 2026 2078 080911ac.0
lrwxrwxrwx 1 0 0 Mon Feb 2 12:09:07 2026 72 09789157.0 -> /etc/cert/ca/root_Starfield_Services_Root_Certificate_Authority_-_G2.cer
...


FortiGate-B # fnsysctl ls -al /etc/cert/ca
...
lrwxrwxrwx 1 0 0 Mon Feb 2 18:20:29 2026 68 06dc52d5.0 -> /etc/cert/ca/root_SSL.com_EV_Root_Certification_Authority_RSA_R2.cer
lrwxrwxrwx 1 0 0 Mon Feb 2 18:18:51 2026 38 080911ac.0 -> /etc/cert/ca/root_QuoVadis_Root_CA.cer
lrwxrwxrwx 1 0 0 Mon Feb 2 18:20:29 2026 72 09789157.0 -> /etc/cert/ca/root_Starfield_Services_Root_Certificate_Authority_-_G2.cer
...

 

One device has the symlink '080911ac' pointing to certificate /etc/cert/ca/root_QuoVadis_Root_CA.cer, while the other device has the same certificate stored with filename 080911ac.0. In both cases, this certificate is not loaded into the fnbamd process.

 

Related article:

Technical Tip: How to View the Default Trusted CA Certificates on FortiGate 
    Terms & ConditionsAccessibility statement