Skip to main content
SimoSimo77
SimoSimo77
New Member
December 24, 2025
Solved

Fortiauthenticator Default-Server-Certificate expiration

  • December 24, 2025
  • 3 replies
  • 587 views

Hello,

 

The Default-Server-Certificate expiration will expire in 5 days.

 

We use FAC for WIFI EAP-TLS and VPN MFA.

 

I can see that the certificat is used in LDAP service, OAuth service and maybe in other services.

 

It is safe to keep using this certificate after the expiration, or should i renew it ? i wanna also the impact if i renew the certificate.

 

Capture d'écran 2025-12-24 105648.png

 

Capture d'écran 2025-12-24 111921.png

 

Capture d'écran 2025-12-24 112059.png

Best answer by SimoSimo77

Hello,

 

I had to reboot the FAC HA cluster, so the certificat was generated automatically.

 

If you are in HA you have to shutdown both device, start the primary device, check if the certificat was renewed automatically and then start the seconde device and let it sync.

Thank you

3 replies

AEK
SuperUser
AEK
SuperUser
December 24, 2025

Hi Simo

This certificate is self signed, so it is already not trusted by any equipment, so I guess you are forcing all your equipment to trust it.

You should create your own CA (if not already done) that will sign all you certificates.

Regarding your question, after the expiration you will probably have problems with some equipment, since most of the modern equipment that follow minimum security standards reject the expired certificates.

AEK
SimoSimo77
SimoSimo77Author
New Member
December 24, 2025

Hello @AEK 

 

I can see a GPO on my domain controller that force computers to trust the FAC root CA.

 

Is renewing the expired certificate may cause an impact on our production or it will be transparent ?


Capture d'écran 2025-12-24 123544.pngCapture d'écran 2025-12-24 123212.png

 

Capture d'écran 2025-12-24 123427.png

 

 

AEK
SuperUser
AEK
SuperUser
December 24, 2025

Create a new certificate signed with the same CA and install it with its private key on a non-critical equipment, then try use it and see if it has any impact.

It shouldn't have any impact but testing like suggested above is safer before deploying on critical equipment.

AEK
SimoSimo77
SimoSimo77Author
New Member
December 24, 2025

Hello @AEK 

 

I think there is a misunderstanding.

 

The FAC internal CA certificate will not expire until 2032.


The only certificate that is expiring in 5 days is the default-server-certificate.

 

I don’t see any reason to generate a new CA certificate in this case.

SimoSimo77
SimoSimo77AuthorAnswer
New Member
December 31, 2025

Hello,

 

I had to reboot the FAC HA cluster, so the certificat was generated automatically.

 

If you are in HA you have to shutdown both device, start the primary device, check if the certificat was renewed automatically and then start the seconde device and let it sync.

Thank you

    Terms & ConditionsAccessibility statement