Description | This article describes how the local certificates are handled when a FortiGate is added to an HA cluster. |
Scope | FortiGate.. |
Solution |
In a FortiGate HA cluster, the secondary FortiGate will synchronize the configuration with the primary when added to the cluster. The primary FortiGate pushes the configuration to the secondary FortiGate, which includes the local certificates and keys. A list of non-synced settings can be found here: FGCP
After this process is completed, the local certificates of the primary FortiGate will be available on the secondary FortiGate.
FG101F-02 # get vpn certificate local details Name: Fortinet_CA_SSL Subject: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FG101FTKAABBCC01, emailAddress = support@fortinet.com Issuer: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FG101FTKAABBCC01, emailAddress = support@fortinet.com Valid from: 2024-09-03 18:09:24 GMT Valid to: 2034-09-04 18:09:24 GMT Fingerprint: DD:B7:C8:52:B2:49:FA:2F:6B:49:DF:95:99:1F:99:CC Serial Num: 47:ee:3a:a3:7e:f7:4c:7a == [ Fortinet_CA_Untrusted ] Name: Fortinet_CA_Untrusted Subject: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = Fortinet Untrusted CA, emailAddress = support@fortinet.com Issuer: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = Fortinet Untrusted CA, emailAddress = support@fortinet.com Valid from: 2024-09-03 18:09:24 GMT Valid to: 2034-09-04 18:09:24 GMT Fingerprint: 9D:71:50:7C:AC:D0:18:A3:1A:47:1A:A9:90:75:36:7B Serial Num: 6a:1f:ee:bc:0d:91:46:a4 == [ Fortinet_Factory ] Name: Fortinet_Factory Subject: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FG101FTKAABBCC01, emailAddress = support@fortinet.com Issuer: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = fortinet-subca2001, emailAddress = support@fortinet.com Valid from: 2019-06-27 10:26:19 GMT Valid to: 2056-01-19 03:14:07 GMT Fingerprint: 70:BA:E6:8D:49:DA:AE:8A:1E:E9:7C:0D:FE:21:67:94 Serial Num: 06:85:3d == [ Fortinet_Factory_Backup ] Name: Fortinet_Factory_Backup Subject: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FG101FTKAABBCC01, emailAddress = support@fortinet.com Issuer: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = support, emailAddress = support@fortinet.com Valid from: 2019-06-27 10:26:19 GMT Valid to: 2038-01-19 03:14:07 GMT Fingerprint: F2:DA:D5:86:A2:23:8B:72:EA:0C:9D:8D:AF:59:88:B6 Serial Num: 05:50:4f == [ Fortinet_GUI_Server ] Name: Fortinet_GUI_Server Subject: C = US, ST = California, L = Sunnyvale, O = Fortinet Ltd., OU = FortiGate, CN = FortiGate Issuer: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FG101FTKAABBCC01, emailAddress = support@fortinet.com Valid from: 2024-09-03 18:10:20 GMT Valid to: 2026-12-07 18:10:20 GMT Fingerprint: 3D:A4:41:60:92:4F:02:19:24:56:4D:8E:01:B9:68:D2 Serial Num: 21:f1:af:74:49:ca:50:94 **output-omitted**
After the secondary FortiGate is added to the HA cluster, the certificates and their respective private keys from the primary FortiGate are pushed to the secondary FortiGate. FG101F-02 # diagnose sys filesystem last-modified-files /data/etc/cert/local/ Tue Sep 3 11:17:16 2024 - /data/etc/cert/local/root_Fortinet_SSL_DSA2048.key Tue Sep 3 11:17:16 2024 - /data/etc/cert/local/root_Fortinet_SSL_RSA4096.key Tue Sep 3 11:17:16 2024 - /data/etc/cert/local/root_Fortinet_SSL_RSA1024.key Tue Sep 3 11:17:16 2024 - /data/etc/cert/local/root_Fortinet_SSL_ED25519.key Tue Sep 3 11:17:16 2024 - /data/etc/cert/local/root_Fortinet_SSL_ECDSA256.key Tue Sep 3 11:17:16 2024 - /data/etc/cert/local/root_Fortinet_SSL_DSA1024.key Tue Sep 3 11:17:16 2024 - /data/etc/cert/local/root_Fortinet_SSL_ED448.key Tue Sep 3 11:17:16 2024 - /data/etc/cert/local/root_Fortinet_SSL_RSA2048.key Tue Sep 3 11:17:16 2024 - /data/etc/cert/local/root_Fortinet_CA_SSL.key Tue Sep 3 11:17:16 2024 - /data/etc/cert/local/root_Fortinet_SSL_ECDSA384.key The below output shows the local certificates on the secondary FortiGate after it was added to the HA cluster. Name: Fortinet_CA_SSL Subject: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FG101FTKAABBCC34, emailAddress = support@fortinet.com Issuer: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FG101FTKAABBCC34, emailAddress = support@fortinet.com Valid from: 2024-09-03 16:53:17 GMT Valid to: 2034-09-04 16:53:17 GMT Fingerprint: 65:D7:70:22:AD:15:E3:D9:B9:96:B4:DE:27:19:72:00 Serial Num: 6d:06:65:a2:0e:48:32:d7 == [ Fortinet_CA_Untrusted ] Name: Fortinet_CA_Untrusted Subject: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = Fortinet Untrusted CA, emailAddress = support@fortinet.com Issuer: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = Fortinet Untrusted CA, emailAddress = support@fortinet.com Valid from: 2024-09-03 16:53:17 GMT Valid to: 2034-09-04 16:53:17 GMT Fingerprint: F4:3D:9C:C0:C8:3D:7E:80:25:81:DC:4A:D5:6E:D5:52 Serial Num: 46:05:c3:b9:00:6e:6c:03 Name: Fortinet_Factory Subject: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FG101FTKAABBCC34, emailAddress = support@fortinet.com Issuer: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = fortinet-subca2001, emailAddress = support@fortinet.com Valid from: 2019-06-27 11:05:46 GMT Valid to: 2056-01-19 03:14:07 GMT Fingerprint: A8:F2:2F:6B:03:FA:B4:0A:F1:16:4E:C1:8E:83:F0:1C Serial Num: 06:8c:13 == [ Fortinet_Factory_Backup ] Name: Fortinet_Factory_Backup Subject: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FG101FTKAABBCC34, emailAddress = support@fortinet.com Issuer: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = support, emailAddress = support@fortinet.com Valid from: 2019-06-27 11:05:46 GMT Valid to: 2038-01-19 03:14:07 GMT Fingerprint: 48:CA:51:63:65:6F:4F:09:B9:4D:86:3A:90:C6:36:D8 Serial Num: 05:57:25 == [ Fortinet_GUI_Server ] Name: Fortinet_GUI_Server Subject: C = US, ST = California, L = Sunnyvale, O = Fortinet Ltd., OU = FortiGate, CN = FortiGate Issuer: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FG101FTKAABBCC34, emailAddress = support@fortinet.com Valid from: 2024-09-03 18:16:22 GMT Valid to: 2026-12-07 18:16:22 GMT Fingerprint: 4E:F7:B3:24:27:F9:25:65:ED:4F:B9:1F:70:BB:E3:B1 Serial Num: 74:c7:da:1b:3e:4c:fd:ca **output-omitted**
The above certificates are of the primary FortiGate as the CN in the certificates' subject field shows the primary’s serial number. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.