Description
This article describes that by design FortiManager installs objects being referenced on 'Policies' or 'Device Settings' like 'VPN SSL Settings'. However, there are cases where FortiManager installs objects that are not used anywhere such as FSSO polling objects, address and profile groups, and CA certificates.
Scope
FortiManager.
Solution
When installing a policy package for the first time on a FortiGate, it is normal to see FortiManager push a CA Certificate with the name of the ADOM where FortiGate is located.
In this example, 'FGT Mexico' is on ADOM 'SD'.
Install preview configuration shows VPN certificate CA with the name of 'SD_CA2' where 'SD' is the name of ADOM and 'CA2' is doing reference to a CA Certificate.
config vpn certificate ca
edit "SD_CA2"
set ca "-----BEGIN CERTIFICATE-----
.
set ca "-----BEGIN CERTIFICATE-----
.
.
.
-----END CERTIFICATE-----"
set range global
next
end
-----END CERTIFICATE-----"
set range global
next
end
This CA Certificate can be found on Policy & Objects -> Object Configurations -> Advanced -> CA Certificates.
Why is this CA Certificate is being pushed if there is no usage?
The intention to install a Certificate Authority (CA) is for FortiGate to identify whom it is communicating with (FortiManager ADOM). Its objective is to make FGFM communication a secure place for FortiGate. CA Certificate is not a normal certificate so it is not available on config system central-management. CA Certificates normally are used as a reference for the normal certificate but not a CLI configuration used itself.
CA Certificate looks like.
Note.
There are rare cases where 'This CA certificate is duplicated' upon installing policy package. In those cases the CA certificate on Policy and Objects can be removed or a ticket with the eTAC FortiManager team to analyze further.
Related article:
Troubleshooting Tip: How to re-generate default ADOM CA certificate after being deleted
