Troubleshooting Tip: Install preview always shows certificate-fingerprint config
Description
This article describes a workaround to resolve the issue where the 'Install Preview' on a FortiManager always shows the 'Certificate Fingerprint' configuration instead of the actual changes made.
Scope
FortiManager, FortiClient EMS, FortiGate.
Solution
When the certificate is updated on the EMS server, it is updated on the FortiGate. FortiManager retrieves this data and updates its Device Database.
To apply changes, Configure any settings on the FortiManager. Then, push the configuration to the target FortiGate. Before completing the installation, select 'Install Preview'. Instead of reflecting the changes made, the preview will display the 'certificate fingerprint' configuration.
Resolution:
In the FortiManager, navigate to Device Manager -> Device & Groups -> The target FortiGate -> CLI Configurations -> Endpoint-Control -> fctems.
- The updated certificate fingerprint will be displayed in this section.
Navigate to Fabric View -> Fabric Connectors -> fct ems-1 -> Advanced -> Certificate-fingerprint.
- This section will contain the old certificate fingerprint.
Copy the certificate fingerprint from 'Device Manager -> Device & Groups -> Target FortiGate -> CLI Configurations -> Endpoint-Control -> fctems' and paste it to 'Fabric View -> Fabric Connectors -> fct ems-1 -> Advanced -> Certificate-fingerprint'.
Notes:
- FortiManager does not support importing FortiClient EMS. It just always copies the ADOM database config to the device level.
- It depends on the configuration for FortiClient EMS for the new default setting for the certificate, where trust-ca-cn is enabled or disabled.