Sometimes, especially in FortiGate-VM environments including the public cloud after an upgrade or reboot of the device Security Fabric either breaks or is not established with the root device in such cases CSFD -1 debug logs show the below error.

<9112-M> 400 nstd_check_certificate()-2060: The certificate CN (FortiGate) doesn't match the Serial number (FGTXXXXXXXXX) sent by 192.168.100.4:5900<9112-M> 400 handle_connection_event_auth_plugin()-2906: SSL verification for 192.168.100.4:5900 failed.

This error was caused by the CN name being mismatched in the Fortinet_Factory certificate. CN's name shows as 'Fortigate' instead of the device serial number. CN's name looks like.

The following option will fix this issue

Option 1:

FGTkvm50 # dia deb vm-print-license

SerialNumber: FGVMXXXXXXXX <----- Check this serial number.

CreateDate: Thu Nov 2 16:16:23 2023

Key: yes

Cert: yes

Key2: yes

Cert2: yes

Model: 04 (9)

CPU: 4

MEM: 2147483647

VDOM license:

permanent: 10

subscription: 0

FGkvm50 # exec vm-license FGVMXXXXXXXX <----- Replace this with the serial number get. should be FGVMXXXXXXXX.

This operation will reboot the system !

Do you want to continue? (y/n)y

The console should spit some output like this: Requesting FortiCare license token: *******, proxy:(null)

The system will reboot and the license should be reapplied.

If Option 1 does not work:

Option 2:

see if it is possible to download the license from the Fortinet portal for serial number FGVMXXXXXXXX and upload the license file manually from the GUI of the root fabric under System -> FortiGuard -> Upload license file.

This operation will reboot the system!

The system will reboot and the license should be reapplied.

Related article:
Technical Tip: Uploading the FortiGate-VM license