Description
This article describes how to renew a certificate that expired on FortiGate.
Scope
FortiGate
Solution
Sometimes it happens that the certificate is expired and admins have trouble logging into the FortiGate GUI, as many browsers do not accept expired certificate.
In order to identify the certificate that has expired, run the following command on FortiGate CLI (if the firewall has VDOMs, run this command in the root VDOM (management VDOM):
# get vpn certificate local details
In this way one can identify which certificate has expired based on validity time.
If the built-in certificate is expired on FortiGate, as per the example below:
In order to renew an expired built-in certificate, run the following command on FortiGate CLI:
# execute vpn certificate local generate default-ssl-key-certs
A message will be prompted to confirm the re-generation of the default certificate.
"Are you sure to re-generate the default RSA, DSA, ECDSA and EdDSA key certs for ssl resign?
Do you want to continue? (y/n)y
After the confirmation, it will show the status as Valid.
The same command can also be used to renew other certificates.
# execute vpn certificate local generate ?
cmp Generate a certificate request over CMPv2.
default-ssl-ca Generate the default CA certificate used by SSL Inspection.
default-ssl-ca-untrusted Generate the default untrusted CA certificate used by SSL Inspection.
default-ssl-key-certs Generate the default RSA, DSA and ECDSA key certs for ssl resign.
default-ssl-serv-key Generate the default server key used by SSL Inspection.
ec Generate an elliptic curve certificate request.
rsa Generate a RSA certificate request.
Certificate imported externally do not get renewed, It has to be manually renewed.
Note: Make sure that the system time on FortiGate is the same as the time zone.
