FortiGate GUI won't use new SSL certificate

Question

I have generated new SSL certificates for the FortiGate firewall, and trusting the new CA. But it appears that FortiGate is still using the old SSL GUI certificate.

I followed this document for regeneration:
https://docs.fortinet.com/document/fortigate/7.2.8/administration-guide/663527

# execute vpn certificate local generate default-gui-mgmt-cert

# execute vpn certificate local generate default-ssl-ca

# execute vpn certificate local generate default-ssl-ca-untrusted

# execute vpn certificate local generate default-ssl-key-certs

# execute vpn certificate local generate default-ssl-serv-key

My hardware is FortiGate-60F, firmware version 7.2.8

The old certificate is not expired, but I don't trust the old CA anymore. After switching to the new CA, and installing the new CA on my Mac, FortiGate is still presenting the old certificate when I try to log in to admin console via GUI.

Inspecting the Certificate page, I only see the new certificates, but SOMEHOW FortiGate is presenting the old certificate, which shows up as a big red flag on my Mac, and I have to agree to trust the certificate of the old untrustworthy CA.

Is this a cache problem or something?

wkwkwk · Answer

Ok I solved the problem: Step 1:I exported the system configuration to a yaml file, then reset FortiGate to factory, then imported the yaml configuration back. This is a fresh install with previous config so to speak. Step 2:I created a new certificate and set it to "System -> Settings -> HTTPS server certificate".After some time, I switched "System -> Settings -> HTTPS server certificate" back to the Fortinet_GUI_Server.Now FortiGate is using the regenerated Fortinet_GUI_Server certificate. Checking the Admin GUI certificate again, green checkmark "this certificate is valid". Probably Step 2 is suffice, hope it helps.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded