FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
syadav
Staff
Staff
Article Id 338841
Description This article describes how the local certificates are handled when a FortiGate is added to an HA cluster.
Scope FortiGate..
Solution

In a FortiGate HA cluster, the secondary FortiGate will synchronize the configuration with the primary when added to the cluster.  

The primary FortiGate pushes the configuration to the secondary FortiGate, which includes the local certificates and keys. 
Some parts of the configuration are not synchronized between FortiGate cluster members.

A list of non-synced settings can be found here: FGCP

 

After this process is completed, the local certificates of the primary FortiGate will be available on the secondary FortiGate. 

Consider the following scenario:

  • The Primary FortiGate with serial number FG101FTKAABBCC34 is configured with an HA active-passive configuration.
  • The secondary FortiGate with serial number FG101FTKAABBCC01 will be added to this HA cluster. 


The below output shows the certificates present on the secondary FortiGate before being added to the HA cluster. Note the Serial Number listed in the Common Name (CN) field of the certificate Subject: 

FG101F-02 # get vpn certificate local details  
== [ Fortinet_CA_SSL ] 

        Name:        Fortinet_CA_SSL 

        Subject:     C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FG101FTKAABBCC01, emailAddress = support@fortinet.com 

        Issuer:      C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FG101FTKAABBCC01, emailAddress = support@fortinet.com 

        Valid from:  2024-09-03 18:09:24  GMT 

        Valid to:    2034-09-04 18:09:24  GMT 

        Fingerprint: DD:B7:C8:52:B2:49:FA:2F:6B:49:DF:95:99:1F:99:CC 

        Serial Num:  47:ee:3a:a3:7e:f7:4c:7a 

== [ Fortinet_CA_Untrusted ] 

        Name:        Fortinet_CA_Untrusted 

        Subject:     C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = Fortinet Untrusted CA, emailAddress = support@fortinet.com 

        Issuer:      C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = Fortinet Untrusted CA, emailAddress = support@fortinet.com 

        Valid from:  2024-09-03 18:09:24  GMT 

        Valid to:    2034-09-04 18:09:24  GMT 

        Fingerprint: 9D:71:50:7C:AC:D0:18:A3:1A:47:1A:A9:90:75:36:7B 

        Serial Num:  6a:1f:ee:bc:0d:91:46:a4 

== [ Fortinet_Factory ] 

        Name:        Fortinet_Factory 

        Subject:     C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FG101FTKAABBCC01, emailAddress = support@fortinet.com 

        Issuer:      C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = fortinet-subca2001, emailAddress = support@fortinet.com 

        Valid from:  2019-06-27 10:26:19  GMT 

        Valid to:    2056-01-19 03:14:07  GMT 

        Fingerprint: 70:BA:E6:8D:49:DA:AE:8A:1E:E9:7C:0D:FE:21:67:94 

        Serial Num:  06:85:3d 

== [ Fortinet_Factory_Backup ] 

        Name:        Fortinet_Factory_Backup 

        Subject:     C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FG101FTKAABBCC01, emailAddress = support@fortinet.com 

        Issuer:      C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = support, emailAddress = support@fortinet.com 

        Valid from:  2019-06-27 10:26:19  GMT 

        Valid to:    2038-01-19 03:14:07  GMT 

        Fingerprint: F2:DA:D5:86:A2:23:8B:72:EA:0C:9D:8D:AF:59:88:B6 

        Serial Num:  05:50:4f 

== [ Fortinet_GUI_Server ] 

        Name:        Fortinet_GUI_Server 

        Subject:     C = US, ST = California, L = Sunnyvale, O = Fortinet Ltd., OU = FortiGate, CN = FortiGate 

        Issuer:      C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FG101FTKAABBCC01, emailAddress = support@fortinet.com 

        Valid from:  2024-09-03 18:10:20  GMT 

        Valid to:    2026-12-07 18:10:20  GMT 

        Fingerprint: 3D:A4:41:60:92:4F:02:19:24:56:4D:8E:01:B9:68:D2 

        Serial Num:  21:f1:af:74:49:ca:50:94 

**output-omitted** 

 

After the secondary FortiGate is added to the HA cluster, the certificates and their respective private keys from the primary FortiGate are pushed to the secondary FortiGate. 

The following output shows the modified certificate key files during the HA synchronization process: 
 

FG101F-02 # diagnose sys filesystem last-modified-files /data/etc/cert/local/ 

Tue Sep  3 11:17:16 2024 - /data/etc/cert/local/root_Fortinet_SSL_DSA2048.key 

Tue Sep  3 11:17:16 2024 - /data/etc/cert/local/root_Fortinet_SSL_RSA4096.key 

Tue Sep  3 11:17:16 2024 - /data/etc/cert/local/root_Fortinet_SSL_RSA1024.key 

Tue Sep  3 11:17:16 2024 - /data/etc/cert/local/root_Fortinet_SSL_ED25519.key 

Tue Sep  3 11:17:16 2024 - /data/etc/cert/local/root_Fortinet_SSL_ECDSA256.key 

Tue Sep  3 11:17:16 2024 - /data/etc/cert/local/root_Fortinet_SSL_DSA1024.key 

Tue Sep  3 11:17:16 2024 - /data/etc/cert/local/root_Fortinet_SSL_ED448.key 

Tue Sep  3 11:17:16 2024 - /data/etc/cert/local/root_Fortinet_SSL_RSA2048.key 

Tue Sep  3 11:17:16 2024 - /data/etc/cert/local/root_Fortinet_CA_SSL.key 

Tue Sep  3 11:17:16 2024 - /data/etc/cert/local/root_Fortinet_SSL_ECDSA384.key 
 

The below output shows the local certificates on the secondary FortiGate after it was added to the HA cluster.
Note how the Serial Number changes in the CN field of the Subject, as well as other aspects of the certificate like the cryptographic Fingerprint. 
 
FG101F-02 # get vpn certificate local details  
== [ Fortinet_CA_SSL ] 

        Name:        Fortinet_CA_SSL 

        Subject:     C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FG101FTKAABBCC34, emailAddress = support@fortinet.com 

        Issuer:      C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FG101FTKAABBCC34, emailAddress = support@fortinet.com 

        Valid from:  2024-09-03 16:53:17  GMT 

        Valid to:    2034-09-04 16:53:17  GMT 

        Fingerprint: 65:D7:70:22:AD:15:E3:D9:B9:96:B4:DE:27:19:72:00 

        Serial Num:  6d:06:65:a2:0e:48:32:d7 

== [ Fortinet_CA_Untrusted ] 

        Name:        Fortinet_CA_Untrusted 

        Subject:     C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = Fortinet Untrusted CA, emailAddress = support@fortinet.com 

        Issuer:      C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = Fortinet Untrusted CA, emailAddress = support@fortinet.com 

        Valid from:  2024-09-03 16:53:17  GMT 

        Valid to:    2034-09-04 16:53:17  GMT 

        Fingerprint: F4:3D:9C:C0:C8:3D:7E:80:25:81:DC:4A:D5:6E:D5:52 

        Serial Num:  46:05:c3:b9:00:6e:6c:03 
== [ Fortinet_Factory ] 

        Name:        Fortinet_Factory 

        Subject:     C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FG101FTKAABBCC34, emailAddress = support@fortinet.com 

        Issuer:      C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = fortinet-subca2001, emailAddress = support@fortinet.com 

        Valid from:  2019-06-27 11:05:46  GMT 

        Valid to:    2056-01-19 03:14:07  GMT 

        Fingerprint: A8:F2:2F:6B:03:FA:B4:0A:F1:16:4E:C1:8E:83:F0:1C 

        Serial Num:  06:8c:13 

== [ Fortinet_Factory_Backup ] 

        Name:        Fortinet_Factory_Backup 

        Subject:     C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FG101FTKAABBCC34, emailAddress = support@fortinet.com 

        Issuer:      C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = support, emailAddress = support@fortinet.com 

        Valid from:  2019-06-27 11:05:46  GMT 

        Valid to:    2038-01-19 03:14:07  GMT 

        Fingerprint: 48:CA:51:63:65:6F:4F:09:B9:4D:86:3A:90:C6:36:D8 

        Serial Num:  05:57:25 

== [ Fortinet_GUI_Server ] 

        Name:        Fortinet_GUI_Server 

        Subject:     C = US, ST = California, L = Sunnyvale, O = Fortinet Ltd., OU = FortiGate, CN = FortiGate 

        Issuer:      C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FG101FTKAABBCC34, emailAddress = support@fortinet.com 

        Valid from:  2024-09-03 18:16:22  GMT 

        Valid to:    2026-12-07 18:16:22  GMT 

        Fingerprint: 4E:F7:B3:24:27:F9:25:65:ED:4F:B9:1F:70:BB:E3:B1 

        Serial Num:  74:c7:da:1b:3e:4c:fd:ca 

**output-omitted** 

 

 The above certificates are of the primary FortiGate as the CN in the certificates' subject field shows the primary’s serial number. 

 

Contributors