Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
spoojary
Staff
Staff

Created on ‎09-25-2023 05:48 AM Edited on ‎08-14-2025 06:56 AM By Staff

Article Id 275737

Technical Tip: FortiGate certificate error when 'diagnose debug config-error-log ' is run

Description This article describes when the command 'diagnose debug config-error-log read' is run, multiple errors are received, and how the issue can be solved.
Scope FortiGate
Solution

Running the following CLI command may show the following error after the upgrade of the firewall:

 

diagnose debug config-error-log read


Error: 

 

"next" @ 7197:vpn.certificate.local.Fortinet_CA_SSL:failed command (error 1)
"next" @ 7318:vpn.certificate.local.Fortinet_SSL:failed command (error 1)
"next" @ 7456:vpn.certificate.local.Fortinet_SSL_RSA1024:failed command (error 1)
"next" @ 7516:vpn.certificate.local.Fortinet_SSL_RSA2048:failed command (error 1)
"next" @ 7611:vpn.certificate.local.Fortinet_SSL_RSA4096:failed command (error 1)
"next" @ 7651:vpn.certificate.local.Fortinet_SSL_DSA1024:failed command (error 1)
"next" @ 7706:vpn.certificate.local.Fortinet_SSL_DSA2048:failed command (error 1)
"next" @ 7735:vpn.certificate.local.Fortinet_SSL_ECDSA256:failed command (error 1)
"next" @ 7766:vpn.certificate.local.Fortinet_SSL_ECDSA384:failed command (error 1)
"next" @ 7800:vpn.certificate.local.Fortinet_SSL_ECDSA521:failed command (error 1)
"next" @ 7826:vpn.certificate.local.Fortinet_SSL_ED25519:failed command (error 1)
"next" @ 7854:vpn.certificate.local.Fortinet_SSL_ED448:failed command (error 1)
"config" "switch-controller" "dsl" "policy" @ 10984:command parse error (error -61)

 

Symptoms:

Running the command 'diagnose debug config-error-log read' returns multiple certificate-related errors.
These errors pertain to overwriting embedded hardware factory certificates. There is no impact in functionality.

 

Diagnosis Steps:

  • Check the FortiGate version.
  • Determine if the errors appeared post-configuration or after a firmware upgrade.

 

Resolution:

The command triggering the errors seems to be 'default-ssl-key-certs'. To reset the values and correct any errors that occurred during the upgrade, follow these steps:

Log in to the FortiGate CLI.

Execute the following commands in sequence: 

 

execute vpn certificate local generate default-ssl-ca
execute vpn certificate local generate default-ssl-ca-untrusted
execute vpn certificate local generate default-ssl-key-certs
execute vpn certificate local generate default-ssl-serv-key

 

Confirm the execution of each command as prompted and reboot the FortiGate.

 

Additional Recommendations:

Rebooting the unit will clear the startup errors, but if they are still generated, consider performing a format and clean install to regenerate the certificates and clear the certificate bundle.
Labels:
6189
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.