Skip to main content
ergotherego
ergotherego
New Member
November 16, 2016
Question

Cannot sync VPN CA certificate from FMG to FGT [FIXED]

  • November 16, 2016
  • 2 replies
  • 27910 views

Don't use more than 23 characters for your ADOM name.

 

Ran into this and wanted to post about it, in case someone else encounters it.

 

Issue was that doing policy package installs against a FGT the FMG would always want to install a VPN CA certificate, but fail. Even though the certificate would appear to be on the FGT. The failed install log would show something like:

 

Copy device global objects "vpn certificate ca", "CUSTOMER-ADOM-NAME-IS-HERE_Internal_CA", id=893, COMMIT FAIL - duplicate

 

The problem is that FMG (5.4.1) will automatically create VPN CA certificates based on the ADOM name, the maximum character length for certificates is 35 characters, and it will add "_Internal_CA" to the end of the certificate name. In this case, this was more than 35 characters so the FMG was never able to properly install the cert.

 

Interesting, both FMG and the FGT showed the actual certificate name was truncated to be the proper length of characters, so some meta field inside FMG was being used against the FGT - not the name you would see in the FMG WebUI.

 

To fix this I had to:

 

[ol]
  • Purge the ADOM. Delete the device and policy package
  • Re-create the ADOM using a shorter name (23 characters or less)
  • Re-add device and re-import the policy[/ol]

    Just renaming the ADOM didn't work - that change didn't trickle down behind the scenes to change the name FMG wanted to use for the certificate.

      • 2 replies

      chirag_rao
      chirag_rao
      New Member
      October 19, 2018

      I am facing the same problem. The ADOM name does not exceed 35 characters. The ADOM name I am using is test, still I get the same VPN certificate error when pushing a policy. Any suggestions?

       

      Regards,

      Chirag

      ergotherego
      ergotheregoAuthor
      New Member
      October 19, 2018

      What version of FMG are you running?

       

      I haven't run into this issue since then (2 years ago) but the ADOM name could not be longer than 23 characters, to account for the total character length of a certificate (35 characters) when that extra stuff is added on the end.

       

      You said the name of your ADOM is "test". Did you rename your ADOM? Renaming my ADOM did not fix it for me, I had to actually delete the ADOM and re-create from scratch with a shorter name.

      chirag_rao
      chirag_rao
      New Member
      October 20, 2018

      Hi,

       

      I really appreciate your prompt response. I am using FortiManager 5.4 as well as FortiGate 5.4. I have not renamed the ADOM name. I created a fresh ADOM named "test" (without quotes), still the issue persists. I tried with/without ADOMs, still the same issue. Kindly advise further.

       

      Regards,

       

      Chirag

      MT13
      MT13
      New Member
      November 18, 2021

      Hi,

       

      I found out where is the problem! 

      The problem is that you can't see these certificates until you select that you would like to see them in FortiManager:

      - Double click your device in FortiManager

      - Disply Options

      - Under System - select Certificates (you have to choose Customize)

      - Now you can choose Certificates in the menu

      - Just delete Root2_CA certificate

      ...and now you can deploy!

       

       

      Terms & ConditionsAccessibility statement