Technical Tip: How to regenerate default certificates for FortiGate in FortiManager using a script

Description

This article describes how to regenerate default certificates in FortiGate using a script from FortiManager. In certain cases, it happens that default certificates are expired or the keys are compromised, it needs to re-generate the certificates again, and needs to run it on multiple FortiGate.

Scope

FortiManager, FortiGate.

Solution

Use the command from FortiGate as shown below, and run it on a Script using the Remote FortiGate Directly (via CLI) option in FortiManager.

execute vpn certificate local generate default-gui-mgmt-cert
execute vpn certificate local generate default-ssl-ca
execute vpn certificate local generate default-ssl-ca-untrusted
execute vpn certificate local generate default-ssl-key-certs
execute vpn certificate local generate default-ssl-serv-key

Do this in FortiManager, under Device Manager -> Scripts -> Create New.

After creating the script, proceed to run it on FortiGate(s) to re-generate the default certificate.

Review of FortiGate. The relevant default certificates have been regenerated, and the expiry times are the same as when the script was run. The serial number and fingerprints of the certificate have also been renewed.

The scripts run from the FortiManager, but the commands are directly run on the FortiGate itself, meaning the changes will automatically be applied to the FortiManager device database.

The Fortinet_Factory and Fortinet_Factory_Backup certificates are unique to each hardware unit and cannot be regenerated. It is not possible to force the regeneration of this certificate through the CLI or any other method.