Troubleshooting Tip: Certificates not included in license keys
Description
This article explains an issue where FortiNAC license keys do not contain the necessary certificates.
Scope
FortiNAC versions released prior to 2020.
Solution
License keys with certificates were introduced on January 1st 2020.
It is possible for older appliances to be running on a license key generated prior to 2020 and not include certificates.
Appliances that do not have keys with certificates have the following limitations:
- Entitlements will not display (see UI does not list serial number or license entitlements).
- It is not possible to change from Perpetual to Subscription Endpoint Licensing. This is because Subscription Licenses require certificates.
Certain features will not be available, including:
- FortiGuard IoT for Device Profiling Rule.
- Security Fabric communication (see Security Fabric Connection).
- FSSO via REST API with FortiGate v7.x.
- Communication between FortiNAC servers (versions 7.2.2, 9.4.3, 9.2.8, 9.1.10 and greater)
Verify a key has certificates on a virtual appliance:
To verify a license key has certificates on a virtual appliance, log in to the appliance CLI as the root user and run the following command:
licensetool -key APPLIANCE
Example with certificates:
licensetool -key APPLIANCE
APPLIANCE:
serial = FNVMCATMxxxxxxxx
type = NetworkControlApplicationServer
level = PRO
count = 0
expiration = 0
expired = false
mac = xx:xx:xx:xx:xx:xx
uuid = xxxxx-xxx-xxx-xxx-xxxxxxxx
certificates = [xxxxxxxxxxxxxxxxxxx]
Example without certificates:
licensetool -key APPLIANCE
APPLIANCE:
serial = FNVMCAxxxxxxxx
type = NetworkControlApplicationServer
level = PLUS
count = 10000
expiration = 0
expired = false
mac = xx:xx:xx:xx:xx:xx
uuid = xxxxx-xxx-xxx-xxx-xxxxxxxx
certificates = []
In the second example, the 'certificates' array has no values. This means the license key has no certificates.
Verify a key has certificates on a physical appliance:
To verify a license key has certificates on a physical appliance, log in to the appliance CLI as the root user and run the following command:
licensetool -key FILE -file /bsc/campusMgr/.licenseKeyHW
Example contents of a key file with certificates:
serial = FN5HCATRxxxxxxxx
type = NetworkControlApplicationServer
level = BASEcount = 0
expiration = 0
expired = false
mac =xx:xx:xx:xx:xx:xx
uuid = 00000000-0000-0000-0000-000000000000
certificates = [xxxxxxxxxxxxxxxxxxx]The solution for missing certificates varies depending on the appliance:
Virtual appliances:
- Manager or Control/Application Server (FNC-M-VM or FNC-CA-VM):
- Customers with a FortiCare account and appliance support coverage can download a new key containing certificates from the Customer Support Portal at http://support.fortinet.com.
Important:
- Ensure the correct UUID and eth0 MAC address of the appliance is reflected in the product record. For details on how to obtain this information and download the new keys, see the Update Keys Due to UUID/MAC Change section in the License Upgrade Guide.
- Select Get the License File next to FortiNAC Control/App VM Server License. Do not use the Network Sentry key file, as certificates will not be included.
- PODs managed by a Manager: It's necessary to download a new key file for each appliance with missing certificates within their key. Certificates are not distributed from the Manager.
- Separate Control and Application Servers (FNC-C-VM & FNC-A-VM).
- FortiNAC server communication workaround: See Importing License Key Certificates in the FortiNAC Manager Guide.
- FortiNAC appliance SKUs for the separate Control and Application servers reached end of order (EOO) in 2019. FortiCare cannot generate license keys containing certificates for these older products. For a listing of all EOO products, see https://support.fortinet.com/Information/ProductLifeCycle.aspx.
- Customers must contact Sales to arrange for a transition from the older appliances to the combined Control and Application VM server (FNC-CA-VM) to use the newer license keys.
Hardware appliances:
- FortiNAC server communication workaround: See Importing License Key Certificates in the FortiNAC Manager Guide.
- Manager or Control/Application Server (FNC-M or FNC-CA)
- Certificates are installed and shipped with the appliance. If certificates are missing from /bsc/campusMgr/.licenseKeyHW, the unit must be returned through the RMA process. Read more here.
- Separate Control and Application Servers (FNC-C & FNC-A)
- FortiNAC appliance SKUs for the separate Control and Application servers reached end of order (EOO) in 2019.
- FortiCare cannot generate license keys containing certificates for these older products. For a listing of all EOO products, see https://support.fortinet.com/Information/ProductLifeCycle.aspx.
- Customers must contact Sales to arrange for a transition from the older appliances to the combined Control and Application Server to use the newer license keys.
- Certificates are installed and shipped with the appliance. If certificates are missing from /bsc/campusMgr/.licenseKeyHW, the unit must be returned through the RMA process. Read more here.