Technical Tip: Unable to log onto FortiSOAR instances due to the expiration of the self-signed certificates
| Description | This article describes when users are not able to log onto FortiSOAR instances using the correct credentials.
|
| Scope | FortiSOAR. |
| Solution | For FortiSOAR v7.2.0 or above, use the commands below to renew the certs:
# csadm certs --generate <hostname>
Replace <hostname> with the hostname of the FortiSOAR instance. Use the following command to check the hostname.
# hostname
For FortiSOAR versions older than v7.2.0, perform below: To resolve this issue, run the following command as a root user (via 'sudo su' and using the csadmin password) using an SSH session:
curl -s https://repo.fortisoar.fortinet.com/downloads/scripts/generate-root-certificate.sh | bash /dev/stdin
mkdir -p /home/csadmin/temp cd /home/csadmin/temp openssl genrsa -out cs.loc.root.key 2048 openssl req -x509 -sha256 -new -nodes -key cs.loc.root.key -days 365 -out cs.loc.root.crt -subj "/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=FortiSOAR/CN=fortisoar.localhost" yes | mv cs.loc.root.key /etc/pki/cyops/ yes | mv cs.loc.root.crt /etc/pki/ca-trust/source/anchors chattr -i /etc/cyops-release cp /etc/cyops-release /etc/cyops-release.bkp sed -e "s/,secure-message-exchange//g" -i /etc/cyops-release sed -e "s/,forticloud-secure-message-exchange//g" -i /etc/cyops-release csadm certs --generate `hostname` cp /etc/cyops-release.bkp /etc/cyops-release chattr +i /etc/cyops-release rm -f /etc/cyops-release.bkp csadm services --restart Note. Replace the values of 'O' and 'OU' with the organization's values. Important. In the case of FortiSOAR Cloud deployment, once the CA root cert is updated, update the embedded certs using the following command: csadm secure-message-exchange update-exchange-event-listener-certs Once the above command is run, it is necessary to update the certificates in the embedded SME using the FortiSOAR GUI:  |