FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rbraha
Staff
Staff
Article Id 220901

Description

 

This article describes how to renew a certificate that expired on FortiGate.

 

Scope

 

FortiGate.

 

Solution

 

Sometimes it happens that the certificate is expired and admins have trouble logging into the FortiGate GUI, as many browsers do not accept expired certificates.

 

Certificates imported externally do not get renewed, they have to be manually renewed (except for ACME certificates).

  • If the CA certificate has expired and it is being referenced in System -> Settings -> HTTPS server certificate, accessing the FortiGate using an FQDN such as https://fortigatename.com:8443 will present the 'net::ERR_CERT_DATE_INVALID' error and it will not be possible to proceed past this page.
  • To work around this issue use the FortiGate's interface IP such as https://10.10.10.1:8443.

 

HSTS_Error.PNG

 

To identify the certificate that has expired, run the following command on FortiGate CLI (if the firewall has VDOMs, run this command in the root VDOM (management VDOM):  

 

get vpn certificate local details

 

get vpn cer local detail.png

 

In this way, one can identify which certificate has expired based on validity time. If the built-in certificate is expired on FortiGate, as per the example below:

 

cert expired 1.png

 

To renew an expired built-in certificate, run the following command on FortiGate CLI:

 

execute vpn certificate local generate default-ssl-key-certs

 

A message will be prompted to confirm the re-generation of the default certificate.

 

Are you sure to re-generate the default RSA, DSA, ECDSA and EdDSA key certs for ssl resign?
Do you want to continue? (y/n)y

 

The above command will renew all the default SSL certificates except the one 'Fortinet_SSL' which can be renewed with the below command:

execute vpn certificate local generate default-ssl-serv-key 

 

After the confirmation, it will show the status as Valid.

 

cert expired 2.png

 

The same command can also be used to renew other certificates.

 

execute vpn certificate local generate  ?


cmp <----- Generate a certificate request over CMPv2.
default-ssl-ca  <----- Generate the default CA certificate used by SSL Inspection.
default-ssl-ca-untrusted <----- Generate the default untrusted CA certificate used by SSL Inspection.
default-ssl-key-certs <----- Generate the default RSA, DSA, and ECDSA key certs for 'ssl resign'.
default-ssl-serv-key <----- Generate the default server key used by SSL Inspection.
ec <----- Generate an elliptic curve certificate request.
rsa  <----- Generate an RSA certificate request.

 

From v7.2.0, a new default certificate is used for HTTPS administrative access. To renew:

 

default-gui-mgmt-cert      <-- Generate the default GUI mgmt admin-server certificate.

 

Additional certificates can be renewed in v7.6.0.

 

cmp-ec         <-- Generate an ECDSA certificate request over CMPv2. 
cmp-rsc        <-- Generate an RSA certificate request over CMPv2.
est            <-- Generate a certificate via Enrollment over Secure Transport.

 

In the VDOM setup, if trying to renew the certificate in root or any other VDOM, it will throw errors as there will not be a 'default-ssl-key-certs' option:

 

FGT-201F (root) # execute vpn certificate local generate
cmp Generate a certificate request over CMPv2.
ec Generate an elliptic curve certificate request.
rsa Generate a RSA certificate request.

 

Renew the certificate in the global mode:

 

FGT-201F (global) # execute vpn certificate local generate
cmp Generate a certificate request over CMPv2.
default-ssl-ca Generate the default CA certificate used by SSL Inspection.
default-ssl-ca-untrusted Generate the default untrusted CA certificate used by SSL Inspection.
default-ssl-key-certs Generate the default RSA, DSA and ECDSA key certs for ssl resign.
default-ssl-serv-key Generate the default server key used by SSL Inspection.
ec Generate an elliptic curve certificate request.
rsa Generate a RSA certificate request.

 

In some cases, certificates sent by FortiGate will not be reflected to peers even after renewal, which is often the case in HA setups. In such cases, as a last step reboot the firewall to reflect the renewed certificates.

 

Built-in 'Fortinet_Wifi certificate', will be updated automatically via the FortiGuard certificate bundle.

 

Another way to renew an expired firewall built-in certificate is to upgrade the firewall firmware.

 

Note:

Ensure that the system time on the FortiGate is synchronized with the time on the computer accessing it. Otherwise, a significant time difference could trigger a time out-of-sync warning message in GUI, thus causing certificates to appear expired as well.

Related article:
Troubleshooting Tip: Certificate expired warning on deep inspection profiles due to DigiCert