FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.



This article describes how to renew a certificate that expired on FortiGate.








Sometimes it happens that the certificate is expired and admins have trouble logging into the FortiGate GUI, as many browsers do not accept expired certificate.


In order to identify the certificate that has expired, run the following command on FortiGate CLI (if the firewall has VDOMs, run this command in the root VDOM (management VDOM):  


# get vpn certificate local details


get vpn cer local detail.png


In this way one can identify which certificate has expired based on validity time.


If the built-in certificate is expired on FortiGate, as per the example below:


cert expired 1.png


In order to renew an expired built-in certificate, run the following command on FortiGate CLI:


# execute vpn certificate local generate default-ssl-key-certs


A message will be prompted to confirm the re-generation of the default certificate.


"Are you sure to re-generate the default RSA, DSA, ECDSA and EdDSA key certs for ssl resign?
Do you want to continue? (y/n)y


After the confirmation, it will show the status as Valid.


cert expired 2.png


The same command can also be used to renew other certificates.


 # execute vpn certificate local generate  ?

cmp                                       Generate a certificate request over CMPv2.
default-ssl-ca                   Generate the default CA certificate used by SSL Inspection.
default-ssl-ca-untrusted    Generate the default untrusted CA certificate used by SSL Inspection.
default-ssl-key-certs         Generate the default RSA, DSA and ECDSA key certs for ssl resign.
default-ssl-serv-key           Generate the default server key used by SSL Inspection.
ec                                          Generate an elliptic curve certificate request.
rsa                                        Generate a RSA certificate request.


Certificate imported externally do not get renewed, It has to be manually renewed.


Note: Make sure that the system time on FortiGate is the same as the time zone.