Description
This article describes how to renew a certificate that expired on FortiGate.
Scope
FortiGate.
Solution
Sometimes it happens that the certificate is expired and admins have trouble logging into the FortiGate GUI, as many browsers do not accept expired certificates.
Certificates imported externally do not get renewed, they have to be manually renewed (except for ACME certificates).
To identify the certificate that has expired, run the following command on FortiGate CLI (if the firewall has VDOMs, run this command in the root VDOM (management VDOM):
get vpn certificate local details
In this way, one can identify which certificate has expired based on validity time. If the built-in certificate is expired on FortiGate, as per the example below:
To renew an expired built-in certificate, run the following command on FortiGate CLI:
execute vpn certificate local generate default-ssl-key-certs
A message will be prompted to confirm the re-generation of the default certificate.
Are you sure to re-generate the default RSA, DSA, ECDSA and EdDSA key certs for ssl resign?
Do you want to continue? (y/n)y
The above command will renew all the default SSL certificates except the one 'Fortinet_SSL' which can be renewed with the below command:
execute vpn certificate local generate default-ssl-serv-key
After the confirmation, it will show the status as Valid.
The same command can also be used to renew other certificates.
execute vpn certificate local generate ?
cmp <----- Generate a certificate request over CMPv2.
default-ssl-ca <----- Generate the default CA certificate used by SSL Inspection.
default-ssl-ca-untrusted <----- Generate the default untrusted CA certificate used by SSL Inspection.
default-ssl-key-certs <----- Generate the default RSA, DSA, and ECDSA key certs for 'ssl resign'.
default-ssl-serv-key <----- Generate the default server key used by SSL Inspection.
ec <----- Generate an elliptic curve certificate request.
rsa <----- Generate an RSA certificate request.
From v7.2.0, a new default certificate is used for HTTPS administrative access. To renew:
default-gui-mgmt-cert <-- Generate the default GUI mgmt admin-server certificate.
Additional certificates can be renewed in v7.6.0.
cmp-ec <-- Generate an ECDSA certificate request over CMPv2.
cmp-rsc <-- Generate an RSA certificate request over CMPv2.
est <-- Generate a certificate via Enrollment over Secure Transport.
In the VDOM setup, if trying to renew the certificate in root or any other VDOM, it will throw errors as there will not be a 'default-ssl-key-certs' option:
FGT-201F (root) # execute vpn certificate local generate
cmp Generate a certificate request over CMPv2.
ec Generate an elliptic curve certificate request.
rsa Generate a RSA certificate request.
Renew the certificate in the global mode:
FGT-201F (global) # execute vpn certificate local generate
cmp Generate a certificate request over CMPv2.
default-ssl-ca Generate the default CA certificate used by SSL Inspection.
default-ssl-ca-untrusted Generate the default untrusted CA certificate used by SSL Inspection.
default-ssl-key-certs Generate the default RSA, DSA and ECDSA key certs for ssl resign.
default-ssl-serv-key Generate the default server key used by SSL Inspection.
ec Generate an elliptic curve certificate request.
rsa Generate a RSA certificate request.
In some cases, certificates sent by FortiGate will not be reflected to peers even after renewal, which is often the case in HA setups. In such cases, as a last step reboot the firewall to reflect the renewed certificates.
Built-in 'Fortinet_Wifi certificate', will be updated automatically via the FortiGuard certificate bundle.
Another way to renew an expired firewall built-in certificate is to upgrade the firewall firmware.
Note:
Ensure that the system time on the FortiGate is synchronized with the time on the computer accessing it. Otherwise, a significant time difference could trigger a time out-of-sync warning message in GUI, thus causing certificates to appear expired as well.
Related article:
Troubleshooting Tip: Certificate expired warning on deep inspection profiles due to DigiCert
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.