Help
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
iyotov
Staff
Staff

Created on ‎10-17-2024 09:05 AM Edited on ‎11-19-2024 04:08 AM By Community Manager

Article Id 350181

Technical Tip: How to generate new default ADOM CA certificates in FortiManager

Description

 

This article describes how to generate a new default ADOM CA certificate and private key if, for example, the original private keys have been compromised.

ADOM CA certificates are used by the Certificate Templates of the respective ADOMs for issuing local VPN certificates for the managed FortiGates.

 

The default ADOM CA certificates in FortiManager are named:

  • <ADOM-NAME>_CA2 (up to versions 7.2.4 and 7.4.1)
  • <ADOM-NAME>_CA3 (from version 7.2.5 (and above) or 7.4.2 (and above)). 

 

Note: If FortiManager is still running an older version and is going to be upgraded to version 7.2.5 (or above) or 7.4.2 (or above), there is no need to manually recreate the ADOM CA since a new ADOM_CA3 will be automatically generated during the upgrade process. For further information, see the release notes:

 

Scope

 

FortiManager.

 

Solution

 

  1. Login to FortiManager and navigate to System Settings -> All ADOMs.

  2. Edit the ADOM where the new default CA certificate needs to be generated.

  3. Change the name of the ADOM. For example, from TEST to TEST-1.

  4. Select OK to apply the change.

    recreate-ADOM-CA-steps-1-4.png

     

  5. Go to Policy & Objects -> Advanced -> CA Certificates. (If the CA Certificates tab is not present, enable it via Tools -> Feature Visibility.)
    The new CA certificate TEST-1_CA3 will now have been created.

  6. Select and delete both TEST_CA3 and TEST-1_CA3.

    recreate-ADOM-CA-steps-5-6.png

     

  7. Repeat steps 1 to 3 and rename ADOM TEST-1 back to TEST.
    The new CA certificate TEST_CA3 will now have been created with a new private key and new serial number. The certificate's Created Time can also be used to confirm this:

    recreate-ADOM-CA-steps-7.png

     

Note: This solution is only applicable to the custom ADOMs.
The ADOM 'root' and the other default ADOMs will require a different approach.

 

To re-issue the device certificates after recreating the default ADOM CA, follow the process as outlined in the following article: 
Technical Tip: How to re-issue the VPN certificates

 

Re-generation of the default ADOM CA certificate using the CLI command is also another option if the default ADOM CA certificate is deleted and it is needed again for certificate generation. More in the following article: 

Troubleshooting Tip: How to re-generate default ADOM CA certificate after being deleted

584
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.