When re-licensing a FortiGate-VM HA cluster the following issues might be observed: 

• HA Synchronization Failure: The HA cluster is out-of-sync, and new configurations do not synchronize between units. Manual configuration changes on each unit, including checksum recalculation, do not resolve the issue.
• Invalid Fortinet_Factory Certificate: The self-signed Fortinet_Factory certificate becomes invalid, preventing connection to FortiGuard servers. Logs show errors such as: 'Certificate is invalid, subject: /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=fortinet-subca2001/emailAddress=support@fortinet.com'

The problems stem from the sequential license activation process in an HA cluster, which causes certificate regeneration and synchronization mismatches:

1. Upload and activate a new license on the primary unit (Unit-A).
2. Unit-A reboots, and the secondary unit (Unit-B) becomes the new primary.
3. Unit-A reboots, activates the license, regenerates self-signed certificates with the new SN, and rejoins the HA cluster as the secondary. Note that the license file is tied to a specific SN, so uploading it overrides the VM's current SN.
4. Unit-A synchronizes configurations and certificates with Unit-B (which still has certificates tied to the old SN).
5. Unit-A overwrites its newly regenerated certificates with the old ones from Unit-B.
6. Repeat the process for Unit-B: Upload the second license, reboot, regenerate certificates, rejoin as secondary, and sync with Unit-A (now primary).
7. Both units end up with certificates containing the old SN, despite having different new SNs after license activation.

This results in invalid certificates, failed FortiGuard connections, and persistent HA sync issues.

To avoid certificate mismatches and ensure proper HA synchronization during license activation, use one of the following options:

Option 1: Simultaneous license upload.

• Upload and activate new licenses on both units simultaneously.
• Both units will reboot and regenerate certificates independently.
• This prevents synchronization of outdated certificates but requires coordinated timing to minimize downtime.

Option 2: Enable HA override with priority.

Configure HA settings to enable 'override' and set a higher priority on the unit receiving the license first. This ensures the first unit becomes primary upon rejoining and overwrites certificates on the secondary, avoiding sync of old certificates.
On the Primary Unit (Unit-A - the one receiving the license first):

config system ha
    set override enable
    set priority 200
end

On the Secondary Unit (Unit-B):

config system ha
    set override enable

    set priority 100
end

Proceed with license upload on Unit-A first, followed by Unit-B after the cluster stabilizes. After activation, verify HA sync status, certificate validity, and FortiGuard connectivity.

Option 3: Enable HA override with override-wait-time

On Unit-A:

config system ha
    set override enable
    set override-wait timer 10
end

After the reboot of Unit-A, FortiGates 'exchange' primary roles for clusters. So Unit-A will grab the master role back and stays that way until the override-wait-time period expires. This will cause the certificates to not be overwritten.