Troubleshooting Tip: How to delete certificates that are in use on FortiAuthenticator

akanibek · ‎01-30-2024

Description

This article describes an issue when deleting a 'Local Services' certificates in FortiAuthenticator (FAC). For instance, this could be shown:

Local service certificates selected as certificates for cert_eap_server_cert, cert_radsec_server_cert, auth_https_cert, auth_ldap_cert, saml_idp_cert, saml_idp_cert_alt cannot be deleted. Please consider updating the configuration and trying again.

Scope

FortiAuthenticator v6.4.X, FortiAuthenticator v6.5.X.

Solution

This message shows as the certificate object is referenced in other section of FortiAuthenticator and cannot be just removed, as it would leave some services inoperable. Consequently, the references need to be removed from all configurations on FortiAuthenticator.

Below are some of the locations where the certificate can be applied.

System -> Administration -> System Access -> HTTPS Certificate.
Authentication -> RADIUS Service -> Certificates -> EAP Server Certificate | RADSEC Server Certificate.
Authentication -> SAML IdP -> General -> Default IdP Certificate.
Authentication -> SAML IdP -> Service Providers -> <service provider> -> Server Certificate.
Authentication -> LDAP Server Settings -> LDAP Server certificate.
Authentication -> OAuth Service > General -> JWT private key.

When the references are removed (and replaced with another valid certificate), the certificate object can be removed.