FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 269845
Description This article describes the process when an EMS Certificate is not trusted with FortClient EMS Cloud.
Scope EMS Cloud, FortiGate, FortiClient EMS.

This article outlines the instances when the server certificate for the FortiClient EMS Cloud instance gets renewed, and when it approaches expiration, an administrator will encounter the following warning message.




As stated in the warning message above, the FortiGate must be re-authorized, however, it may fail with the error below due to cached certificate entry on the FortiGate.




Troubleshooting step to verify the verified capabilities:


(global) di test application fcnacd 2

EMS context status:


FortiClient EMS number 1:

name(id): Fortinet-Test(1) confirmed: yes

fetched-serial-number: FCTEMS0000xxxxx


verified capabilities: false     <- Failed the capabilities.

verified identity: false

interface-selection-method: 0

verify-peer-method: 4

Websocket status: disconnected, oif: 0


If the reauthorization is done from CLI, the following error may occur:


execute fctems verify 1
Error in requesting EMS fabric connection: -4
issue in getting capabilities. Server certificate does not match previously configured EMS certificate.
Error (-1@_get_capabilities:464).


To resolve this issue, unverify it:


execute fctems unverify <EMS ID>


And then verify it again:


execute fctems verify <EMS ID>


Note: This article also applies to the FortiClientEMS server.