Skip to main content
fritzikus1302
fritzikus1302
New Member
October 4, 2020
Question

SSLVPN Certificate Parse Error

  • October 4, 2020
  • 4 replies
  • 7914 views

Hello Guys,

 

i want to renew my certificate for ssl vpn over ssh. it worked but now i get the error "Input is not a valid/matched certificate. node_check_object fail! for certificate".

 

Can someone help me pls. I've post the log from my ssh commands.

 

Thanks

4 replies

boneyard
boneyard
Valued Contributor
October 10, 2020

you need to import a certificate and key to be able to use it as SSLVPN server cert.

 

do you have a .p12 of .pfx file for this?

 

or did you use the same key to generate this new cert?

 

EDIT please dont share the certificate + key if you post a reply, it probably is password protected but still, rather keep that save.

    nikriaz
    nikriaz
    Explorer
    September 9, 2025

    Exactly the same problem. Were you able to figure it out?

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    September 9, 2025

    If you get only a renewed cert and you don't have private key (included in the PKCS#12(PFX) file) and the password you used to generate it originally, you have to do this CLI method to preserve the encrypted private key while swapping the cert to the new one.
    https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-import-a-new-local-certificate-after/ta-p/192999

    Toshi

      nikriaz
      nikriaz
      Explorer
      September 10, 2025

      Thank you for reply.

      I see this article and I confirm that this error text with error number "-651" means no matching certificate for the existing key. When I try to renew certificate only for the same, existed key, as described in the article above, it DOES work. However, it is not real-world scenario. Typically renewed certs come with new key.

      I found another article:
      https://community.fortinet.com/t5/FortiGate/Technical-Note-Upload-Certificate-using-PEM-format/ta-p/197317

      Whatever I try I always get an error "Invalid private key, password may be required" when I try to upload new key, whether the PEM is encrypted with password or not. "set password" does not work either. The article just suggests "In such cases try getting a new key from the certificate authority and reupload." but this explain nothing unfortunately. 

      The question is whether it is possible at all to update existing certificate in-place with new key or not?

      UPDATE: I finally found proper format for a key which is PKCS#8 with no password and now it works. Certificate gets in-place renewed with new key. Version is 7.6.3.

      Toshi_Esumi
      SuperUser
      Toshi_Esumi
      SuperUser
      September 10, 2025

      If you got a new cert with a new private key, that's a completely new certificate set. You just need to import it as a new one. It doesn't matter the current one exist or not. 
      I never tried PEM installation. Try create PKCS#12 format file based on those unencrypted cert+key. There are multiple tools available. But I think the most common one is OpenSSL on Linux. Just make sure you save the password you used to encrypt to a safe and foundable place.

      Toshi

        mattewwade06
        mattewwade06
        New Member
        September 15, 2025

        I’ve run into a similar issue before, and in my case it turned out the certificate format wasn’t right. When you renew it over SSH, make sure both the cert and key are in PEM format, and don’t forget to include the intermediate CA if needed. This Fortinet article explains the process step by step and might help clear the error:
        https://community.fortinet.com/t5/FortiGate/Read moreTechnical-Note-Upload-Certificate-using-PEM-format/ta-p/197317

          Terms & ConditionsAccessibility statement