Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
avinash_v
Staff
Staff

Created on ‎01-23-2025 07:33 AM Edited on ‎06-20-2025 12:38 AM By Staff

Article Id 372129

Technical Tip: Certificate renewal via EST server

Description This article describes how to use the additional functionality of an EST server for certificate renewal.
Scope FortiGate.
Solution

By default, EST uses old keys for certificate renewal, unlike other auth protocols on FortiGate.

 

For example.

Old cert:

 

FGVM04TM23009067 (mycert-a1) # get
name : mycert-a1
password : *
comments :
private-key : *
certificate :
Subject: CN = eluo-fortinet
Issuer: CN = estExampleCA
Valid from: 2024-04-26 17:31:49 GMT <- Old cert.
Valid to: 2025-04-26 17:31:49 GMT
Fingerprint: 86:2E:C5:EB:9C:94:E4:62:7E:AC:74:1B:FB:FF:7E:A0:55:B6:48:0B:79:54:C6:05:2E:EA:25:69:A5:F7:1D:F5
Root CA: No
Version: 3
Serial Num:
07:9b:91
Extensions:
Name: X509v3 Basic Constraints
Critical: no
Content:
CA:FALSE

Name: X509v3 Key Usage
Critical: no
Content:
Digital Signature

Name: X509v3 Subject Key Identifier
Critical: no
Content:
1B:EF:76:7F:FC:A8:0E:9A:8A:5C:54:88:3D:2B:7D:65:B8:66:53:C7 <- Key.

Name: X509v3 Authority Key Identifier
Critical: no
Content:
1A:DF:39:84:C2:56:E6:6C:CF:2A:B4:26:A5:FD:0C:D2:43:F5:3D:3E


After renewal:


FGVM04TM23009067 (mycert-a1) # get
name : mycert-a1
password : *
comments :
private-key : *
certificate :
Subject: CN = eluo-fortinet
Issuer: CN = estExampleCA
Valid from: 2024-04-26 17:36:44 GMT <- New cert.
Valid to: 2025-04-26 17:36:44 GMT
Fingerprint: F6:C9:5E:BC:6B:4E:74:58:9E:F5:6D:4A:01:5F:46:CE:A7:60:7B:59:9A:BF:F8:F1:C4:72:0D:04:A2:60:AD:96 <- Different fingerprint.
Root CA: No
Version: 3
Serial Num:
07:9b:93
Extensions:
Name: X509v3 Basic Constraints
Critical: no
Content:
CA:FALSE

Name: X509v3 Key Usage
Critical: no
Content:
Digital Signature

Name: X509v3 Subject Key Identifier
Critical: no
Content:
1B:EF:76:7F:FC:A8:0E:9A:8A:5C:54:88:3D:2B:7D:65:B8:66:53:C7 <- Key.

Name: X509v3 Authority Key Identifier
Critical: no
Content:
1A:DF:39:84:C2:56:E6:6C:CF:2A:B4:26:A5:FD:0C:D2:43:F5:3D:3E

 

The Subject Key Identifier did not change, meaning the old key was used in the CSR. At times, some users may implement the CA server in such a way that it does not accept the old key and will return the old certificate.

 

To accommodate this, starting from v7.4.6, customers can regenerate a new key to get a new certificate from the EST server. This can be specified in the configuration on the FortiGate: dictate whether to use the old key or a new key each time it contacts the CA server to renew the certificate.

 

config vpn certificate local
    edit <name>
        set est-regeneration-method {create-new-key | use-existing-key}
    next
end

 

Refer to this document for the configuration of Secure Transport for automatic certificate management on FortiGate: Enrollment over Secure Transport (EST)
564
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.