1. Architecture Details: The architecture example used in this article is a basic hub and spoke topology with three FortiGates. Screenshots were taken on a 7.2.5 FortiManager. The 7.4.2 GUI features some differences, but the overall procedure remains the same. 

2. Implementation:

• Back up the FortiManager configuration. Go to System Settings -> Dashboard and select 'Backup'.

• Deactivate auto-retrieve: On FortiManager, open the CLI Console and set auto-update to 'disable'. This will ensure modifications are not overridden by an auto-retrieve.  

• Display new and former CA certificates: Go to Policy & Objects -> Tools and select 'Feature Visibility'. Then, under 'Advanced', check 'CA Certificates'.

Go to Policy & Objects -> Object Configurations -> Advanced -> CA Certificates. CA2 is the former CA and CA3 is the new one.

• Renew device certificates: Go to Device Manager -> Provisioning Template -> Certificate Templates -> OVERLAY-VPN-CERTIFICATE -> More and select 'Generate'. Select all required devices and select 'OK'. 

• Modify Peers and Peer Groups: Newly generated certificates do not include an ADOM name anymore (which is part of a fix for bug 796858), meaning the peer configuration must be edited. Connect to the Hub, open 'CLI Console', and gather the output of 'show user peer' and 'show user peergrp'.

Warning:

Make sure the peer list and especially peer group members are the same among all the devices. In a text editor, remove .<ADOM_Name> (.root in this example) and replace CA2 with CA3.

Return to FortiManager and go to Device manager -> Scripts > + Create New and select 'Script'. Enter a Script Name, set the Type to 'CLI Script', specify Run Script on as Device Database and paste the previously edited data, then select 'OK'.

Select the newly created script and select the 'Run Script' button. Select all required devices, move them to the right pane using the right arrow, and select 'Run Now'. A confirmation window will appear. Select OK. Once the script has successfully run, select 'Close'.

• Delete former peers (optional): Connect on the Hub, open the 'CLI Console' and gather the output of the following command:

show user peer | grep 'edit\|config\|end'

In a text editor, replace edit with delete.

Return to FortiManager and go to Device manager -> Scripts -> + Create New and select 'Script'. Enter a Script Name, set Type to 'CLI Script', specify Run Script as 'Device Database', and paste the previously edited data, then select OK.

Select the newly created script and select the Run Script button. Select all required devices, move them to the right pane using the right arrow, and select Run Now. A confirmation window will appear. Select OK. Once the script has run successfully, select 'Close'.

Warning:

The script may end with errors. This is most likely due to the peer list not being the same among all the devices (a script cannot delete something that does not exist). It is recommended to adapt the script to failed device configurations.

• Install modifications: Select Install Wizard, then select Install Device Settings (Only) and select Next. Select all of the required devices and select Next. Select Install Preview. The following should be available: The new certificate CA3 (under config vpn certificate ca), the previously generated device certificate (under config vpn certificate local), and the peer/peergrp modifications. Close the install preview and select Install.

Once the installation has been completed, select Finish.

• Enable auto-retrieve: On FortiManager, open the CLI Console and set auto-update to 'enable'.

3. Verify certificate, peer and peergrp have been successfully updated on the FortiGates. Connect to the Hub and go to System -> Feature Visibility, check 'Certificates', and select 'Apply'.

Go to System -> Certificates, open 'OVERLAY-VPN-CERTIFICATE', and verify the common name does not have the .<ADOM_Name> extension.

Open the CLI. By now, the control peer and peer group will have been successfully updated. There should be no mention of .<ADOM_Name> and CA2, especially in the peer group members list.

4. Cleaning (optional):Go to Device manager -> Scripts -> + Create New and select 'Script'. Fill in a Script Name, set the Type to 'CLI Script', set Run Script on to 'Device Database' and paste the following as the script, then select OK.

config vpn certificate ca

delete "root_CA2"

end

Select the newly created script and select the Run Script button. Select all required devices, move them to the right pane using the right arrow and select Run Now. A confirmation window will appear. Select OK. Once the script has successfully run, select Close.

Afterwards, install the modification as detailed in 2.g.

The procedure to remove CA2 from FortiManager will differ depending on the implementation and its dependencies. As a result, it is not documented in this article. Note that this has no impact.