Troubleshooting Tip: The 'Fortinet_Factory' certificate shows 'CN = FortiGate' on FortiGate AWS PAYG instances

1. After deploying FortiGate on an AWS PAYG, the 'Fortinet_Factory' certificate shows 'CN = FortiGate' under Subject: .
   Check the 'Fortinet_Factory' certificate on the FortiGate with CLI commands as follows.

FGT # get vpn certificate local details | grep Fortinet_Factory -A6

== [ Fortinet_Factory ]

        Name:        Fortinet_Factory

        Subject:     C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FortiGate, emailAddress = support@fortinet.com

        Issuer:      C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = fortinet-subca2001, emailAddress = support@fortinet.com

        Valid from:  2023-08-28 04:05:33  GMT

        Valid to:    2056-05-26 20:48:33  GMT

        Fingerprint: 6D:A3:44:D1:93:49:09:5F:4E:3B:58:E8:01:7E:7C:6D:E1:66:22:F2:75:B5:6E:97:F5:72:3B:A7:AF:32:9A:18

        Serial Num:  11:55:11:55

== [ Fortinet_Factory_Backup ]

        Name:        Fortinet_Factory_Backup

        Subject:     C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FortiGate, emailAddress = support@fortinet.com

        Issuer:      C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = support, emailAddress = support@fortinet.com

        Valid from:  2023-08-28 04:05:33  GMT

        Valid to:    2038-01-18 22:34:39  GMT

        Fingerprint: 81:88:A5:28:E6:D5:D0:B1:3D:9C:57:DF:79:A8:56:E6:E6:99:C6:AE:97:77:24:C7:1C:FD:C9:8B:CE:5F:4B:AB

        Serial Num:  11:55:11:55

FGT #

2. Alternatively, the CN= field of Fortinet_Factory can be viewed directly from the GUI by navigating to System -> Certificates.
                                              
   
3. FortiGate AWS PAYG may have the issue, as CN under Subject: doesn’t display with the proper FortiGate serial number.

To fix:

1. Check FortiGate serial number or run the following CLI command:

FGT # get system status | grep Serial-Number

Serial-Number: FGTAWS1234567890

2. Run the following CLI command:

FGT # execute vm-license <FortiGate Serial number>

For example:

FGT # execute vm-license FGTAWS1234567890

This operation will reboot the system !

Do you want to continue? (y/n)y

FortiGate will reboot.

3. After FortiGate reboots, check 'Fortinet_Factory' certificate details again.

FGT # get vpn certificate local details | grep Fortinet_Factory -A6

== [ Fortinet_Factory ]

        Name:        Fortinet_Factory

        Subject:     C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FGTAWS1234567890, emailAddress = support@fortinet.com

        Issuer:      C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = fortinet-subca2001, emailAddress = support@fortinet.com

        Valid from:  2023-08-28 04:05:33  GMT

        Valid to:    2056-05-26 20:48:33  GMT

        Fingerprint: 6D:A3:44:D1:93:49:09:5F:4E:3B:58:E8:01:7E:7C:6D:E1:66:22:F2:75:B5:6E:97:F5:72:3B:A7:AF:32:9A:18

        Serial Num:  02:4d:07:3c

== [ Fortinet_Factory_Backup ]

        Name:        Fortinet_Factory_Backup

        Subject:     C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FGTAWS1234567890, emailAddress = support@fortinet.com

        Issuer:      C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = support, emailAddress = support@fortinet.com

        Valid from:  2023-08-28 04:05:33  GMT

        Valid to:    2038-01-18 22:34:39  GMT

        Fingerprint: 81:88:A5:28:E6:D5:D0:B1:3D:9C:57:DF:79:A8:56:E6:E6:99:C6:AE:97:77:24:C7:1C:FD:C9:8B:CE:5F:4B:AB

        Serial Num:  02:4d:07:3e

FGT #

4. It will show the proper CN under Subject: with the proper FortiGate serial number at the 'Fortinet_Factory' certificate after that.