Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rbraha
Staff
Staff

Created on ‎08-15-2022 09:44 AM Edited on ‎10-20-2025 10:44 AM By Moderator

Article Id 220901

Technical Tip: Renew FortiGate self-signed certificates

Description

 

This article describes how to renew a certificate that expired on FortiGate.

 

Scope

 

FortiGate.

 

Solution

 

This article refers to expired certificates signed by the FortiGate itself, not by remote CAs. For information on updating expired local certificates signed by remote CAs, see Technical Tip: How to update a local certificate installed on a FortiGate without generating a new C....

 

Sometimes, the certificate has expired, and admins have trouble logging into the FortiGate GUI, as many browsers do not accept expired certificates.

 

HSTS_Error.PNG

 

Note:

When using a certificate for the FortiOS administrative GUI, the most common certificate warnings are not because the certificate is expired, but rather because the certificate is for a domain name the browser is not trying to reach, or because the self-signed certificate is not trusted by the endpoint's certificate store. To resolve these errors, see the article Technical Tip: GUI Untrusted HTTPS server certificate.

 

To identify the certificate that has expired, run the following command on FortiGate CLI (if the firewall has VDOMs, run this command in the root VDOM (management VDOM):  

 

get vpn certificate local details

 

get vpn cer local detail.png

 

In this way, one can identify which certificate has expired based on the validity time. If the built-in certificate has expired on FortiGate, as per the example below:

 

cert expired 1.png

 

To renew an expired built-in certificate, run the following command on FortiGate CLI:

 

execute vpn certificate local generate default-ssl-key-certs

 

A message will be prompted to confirm the regeneration of the default certificate.

 

Are you sure to re-generate the default RSA, DSA, ECDSA and EdDSA key certs for ssl resign?
Do you want to continue? (y/n)y

 

The above command will renew all the default SSL certificates except the one 'Fortinet_SSL', which can be renewed with the below command:

execute vpn certificate local generate default-ssl-serv-key 

 

After the confirmation, it will show the status as Valid.

 

cert expired 2.png

 

The same command can also be used to renew other certificates.

 

execute vpn certificate local generate  ?


cmp <----- Generate a certificate request over CMPv2.
default-ssl-ca  <----- Generate the default CA certificate used by SSL Inspection.
default-ssl-ca-untrusted <----- Generate the default untrusted CA certificate used by SSL Inspection.
default-ssl-key-certs <----- Generate the default RSA, DSA, and ECDSA key certs for 'ssl resign'.
default-ssl-serv-key <----- Generate the default server key used by SSL Inspection.
ec <----- Generate an elliptic curve certificate request.
rsa  <----- Generate an RSA certificate request.

 

From v7.2.0, a new default certificate is used for HTTPS administrative access. To renew:

 

default-gui-mgmt-cert      <----- Generate the default GUI mgmt admin-server certificate.

 

Additional certificates can be renewed in v7.6.0

 

cmp-ec         <----- Generate an ECDSA certificate request over CMPv2. 
cmp-rsc        <----- Generate an RSA certificate request over CMPv2.
est            <----- Generate a certificate via Enrollment over Secure Transport.

 

In the VDOM setup, if trying to renew the certificate in root or any other VDOM, it will throw errors as there will not be a 'default-ssl-key-certs' option:

 

FGT-201F (root) # execute vpn certificate local generate
cmp Generate a certificate request over CMPv2.
ec Generate an elliptic curve certificate request.
rsa Generate a RSA certificate request.

 

Renew the certificate in the global mode:

 

FGT-201F (global) # execute vpn certificate local generate
cmp Generate a certificate request over CMPv2.
default-ssl-ca Generate the default CA certificate used by SSL Inspection.
default-ssl-ca-untrusted Generate the default untrusted CA certificate used by SSL Inspection.
default-ssl-key-certs Generate the default RSA, DSA and ECDSA key certs for ssl resign.
default-ssl-serv-key Generate the default server key used by SSL Inspection.
ec Generate an elliptic curve certificate request.
rsa Generate a RSA certificate request.

 

In some cases, certificates sent by FortiGate will not be reflected to peers even after renewal, which is often the case in HA setups. In such cases, as a last step, reboot the firewall to reflect the renewed certificates.

 

Built-in 'Fortinet_Wifi certificate', will be updated automatically via the FortiGuard certificate bundle.

 

Another way to renew an expired firewall built-in certificate is to upgrade the firewall firmware.

 

Note:

Ensure that the system time on the FortiGate is synchronized with the time on the computer accessing it. Otherwise, a significant time difference could trigger a time-out-of-sync warning message in the GUI, thus causing certificates to appear expired as well.

Related documents:
Troubleshooting Tip: Certificate expired warning on deep inspection profiles due to DigiCert 

Regenerate default certificates - FortiGate administration guide 

82134
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.