FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kbountouris
Staff
Staff
Article Id 351368
Description This article shows how to clear the cache of the server certificate and client certificate.
Scope FortiGate.
Solution

Background:

 

When the web page is blocked by the certificate untrusted error, the following solution can be used to clear the cache and make the certificates work properly again.

 

The web pages will be accessible again and not blocked.

 

The error that is visible while accessing the page is:

 

NET:: ERR_CERT_AUTHORITY_INVALID

NET:: ERR_CERT_DATE_INVALID

 

In the logs, the following error is shown:

 

block-cert-untrusted

 

Solution:

 

Open SSH to the FortiGate and execute the following commands:

 

diagnose ips share list scert_cache  <----- To view the server entries.
diagnose ips share list ccert_cache  <----- To view the client entries.

diagnose ips share lisserver_cache_0 <----- If the previous scert_cache command returns empty, use this.

diagnose ips share pool  <---- Use this command to view the various certificate pools and the current entries.


diagnose ips share clear scert_cache <----- To clear the server entries.
diagnose ips share clear ccert_cache <----- To clear the client entries.

diagnose ips share clear cert_verify_cache

 

diagnose test app ipsmonitor 99 <----- To reset the IPS engine.

execute update-now