Description
This article describes why, after updating to version 7.4.4 or a newer version, Security Fabric downstream FortiGate devices cannot validate the EMS certificate.
Example:
- FortiGate Root Fabric: 'Connected'.
- FortiGate downstream Fabric: Connection status: 'EMS certificate not authorized'.
Attempting to authorize or import certificates does not work.
Scope
FortiGate, FortiClient.
Solution
From version 7.4.4 forward, the CA certificate must be synchronized through the Security Fabric for all FortiGate devices to correctly validate the EMS certificate.
On the FortiGate Root Fabric, enable the remote CA to synchronize with the Fabric. This change is done via the CLI.
'set fabric-ca enable' in csf_root -> config vpn certificate ca -> edit '<Certificate Name>'.
Example done on Root Fabric FortiGate:
- Identify the 'verifying-ca' used to validate the EMS certificate:
config endpoint-control fctems
edit 1
show
...
set verifying-ca "CA_Cert_4" <---- In this example, the certificate is 'CA_Cert_4'.
...
abort
-
Change the CA to synchronize:
config vpn certificate ca
edit "CA_Cert_4"
set fabric-ca enable
next
end
The automatic synchronization, which is done via 'fabric-ca enable', is not available for the built-in CA. It is only available for remote/third-party CA.
If FortiGate is in a VDOM Environment:
config global
config certificate ca
edit "CA_Cert_4"
set fabric-ca enable
next
end
After this change, the downstream FortiGate devices will trust the EMS certificate and re-establish the connection. The successful message will resemble 'CA CA_Cert_4 has become a Security Fabric synchronized CA and has the new name CSF_CA_Cert_Pc60xxxxxxxxxxxxxxxxxxxx_1'.
Related documents:
