Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
avinash_v
Staff
Staff

Created on ‎01-23-2025 07:33 AM

Article Id 372129

Technical Tip: Certificate renewal via EST server

Description This article describes how to use the additional functionality of an EST server for certificate renewal.
Scope FortiGate.
Solution

By default, EST uses old keys for certificate renewal, unlike other auth protocols on FortiGate.

 

For example:

 

Old cert:

 

FGVM04TM23009067 (mycert-a1) # get
name : mycert-a1
password : *
comments :
private-key : *
certificate :
Subject: CN = eluo-fortinet
Issuer: CN = estExampleCA
Valid from: 2024-04-26 17:31:49 GMT <- Old cert.
Valid to: 2025-04-26 17:31:49 GMT
Fingerprint: 86:2E:C5:EB:9C:94:E4:62:7E:AC:74:1B:FB:FF:7E:A0:55:B6:48:0B:79:54:C6:05:2E:EA:25:69:A5:F7:1D:F5
Root CA: No
Version: 3
Serial Num:
07:9b:91
Extensions:
Name: X509v3 Basic Constraints
Critical: no
Content:
CA:FALSE

Name: X509v3 Key Usage
Critical: no
Content:
Digital Signature

Name: X509v3 Subject Key Identifier
Critical: no
Content:
1B:EF:76:7F:FC:A8:0E:9A:8A:5C:54:88:3D:2B:7D:65:B8:66:53:C7 <- Key.

Name: X509v3 Authority Key Identifier
Critical: no
Content:
1A:DF:39:84:C2:56:E6:6C:CF:2A:B4:26:A5:FD:0C:D2:43:F5:3D:3E


After renewal:


FGVM04TM23009067 (mycert-a1) # get
name : mycert-a1
password : *
comments :
private-key : *
certificate :
Subject: CN = eluo-fortinet
Issuer: CN = estExampleCA
Valid from: 2024-04-26 17:36:44 GMT <- New cert.
Valid to: 2025-04-26 17:36:44 GMT
Fingerprint: F6:C9:5E:BC:6B:4E:74:58:9E:F5:6D:4A:01:5F:46:CE:A7:60:7B:59:9A:BF:F8:F1:C4:72:0D:04:A2:60:AD:96 <- Different fingerprint.
Root CA: No
Version: 3
Serial Num:
07:9b:93
Extensions:
Name: X509v3 Basic Constraints
Critical: no
Content:
CA:FALSE

Name: X509v3 Key Usage
Critical: no
Content:
Digital Signature

Name: X509v3 Subject Key Identifier
Critical: no
Content:
1B:EF:76:7F:FC:A8:0E:9A:8A:5C:54:88:3D:2B:7D:65:B8:66:53:C7 <- Key.

Name: X509v3 Authority Key Identifier
Critical: no
Content:
1A:DF:39:84:C2:56:E6:6C:CF:2A:B4:26:A5:FD:0C:D2:43:F5:3D:3E

 

Notice that the Subject Key Identifier did not change, meaning the old key was used in CSR. At times, some customers may implement the CA server in such a way that it does not accept the old key and will return the old certificate.

 

To accommodate this, starting from version 7.4.6, customers can regenerate a new key to get a new certificate from the EST server. This can be specified in the configuration on the FortiGate: dictate whether to use the old key or a new key each time it contacts the CA server to renew the certificate.

 

config vpn certificate local
    edit <name>
        set est-regeneration-method {create-new-key | use-existing-key}
    next
end

 
174
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.