Troubleshooting Tip: 'Licensed Without Certificates' message in UI

cmaheu · ‎12-09-2021

Description

This article describes the conditions under which the following message can appear in the Administration UI for later versions of code:

'A FortiNAC appliance does not include certificates. This may prevent communication with Security Fabric devices, the FortiGuard servers, or the Entitlements server. Please download an updated FortiNAC license key from FortiCare and install via the License Management settings view.'

Solutions are offered.

Scope

Version: 9.2 and greater

Solution

Current functionality should not be affected. The message is presented to make users aware that the current Endpoint License key does not contain certificates that some new features and functions require. Endpoint License keys with certificates were introduced on January 1st 2020. It is possible for older appliances to be running on a license key generated prior to 2020 and not include certificates.

The solution for missing certificates varies depending on the appliance:

Virtual Appliances

- Manager or Control/Application Server (FNC-M-VM or FNC-CA-VM):

- Customers with a FortiCare account and appliance support coverage can download a new key containing certificates from the Customer Support Portal at http://support.fortinet.com.

- Important:

- Ensure the correct UUID and eth0 MAC address of the appliance is reflected in the product record. For details on how to obtain this information and download the new keys, see the Update Keys Due to UUID/MAC Change section in the License Upgrade Guide.

- Select Get the License File next to FortiNAC Control/App VM Server License. Do not use the Network Sentry key file, as certificates will not be included.

- PODs managed by a Manager: It's necessary to download a new key file for each appliance with missing certificates within their key. Certificates are not distributed from the Manager.

If new license keys are downloaded from the portal and installed, the alarm may continue to display after services are restarted. It may be necessary to clear the web browser cache to prevent this.

- Separate Control and Application Servers (FNC-C-VM & FNC-A-VM)

- FortiNAC appliance SKUs for the separate Control and Application servers reached end of order (EOO) in 2019. FortiCare cannot generate license keys containing certificates for these older products. For a listing of all EOO products, see https://support.fortinet.com/Information/ProductLifeCycle.aspx.

- Customers must contact Sales to arrange for a transition from the older appliances to the combined Control and Application VM server (FNC-CA-VM) to use the newer license keys.

Hardware Appliances

- Manager or Control/Application Server (FNC-M or FNC-CA)

- Certificates are installed and shipped with the appliance. If certificates are missing from /bsc/campusMgr/.licenseKeyHW, the unit must be returned through the RMA process. Read more here.

- Separate Control and Application Servers (FNC-C & FNC-A)

- FortiNAC appliance SKUs for the separate Control and Application servers reached end of order (EOO) in 2019.

- FortiCare cannot generate license keys containing certificates for these older products. For a listing of all EOO products, see https://support.fortinet.com/Information/ProductLifeCycle.aspx.

- Customers must contact Sales to arrange for a transition from the older appliances to the combined Control and Application Server to use the newer license keys.

Related article:
https://community.fortinet.com/t5/FortiNAC/Technical-Tip-Certificates-not-included-in-license-keys/t...