- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cannot sync VPN CA certificate from FMG to FGT [FIXED]
Don't use more than 23 characters for your ADOM name.
Ran into this and wanted to post about it, in case someone else encounters it.
Issue was that doing policy package installs against a FGT the FMG would always want to install a VPN CA certificate, but fail. Even though the certificate would appear to be on the FGT. The failed install log would show something like:
Copy device global objects "vpn certificate ca", "CUSTOMER-ADOM-NAME-IS-HERE_Internal_CA", id=893, COMMIT FAIL - duplicate
The problem is that FMG (5.4.1) will automatically create VPN CA certificates based on the ADOM name, the maximum character length for certificates is 35 characters, and it will add "_Internal_CA" to the end of the certificate name. In this case, this was more than 35 characters so the FMG was never able to properly install the cert.
Interesting, both FMG and the FGT showed the actual certificate name was truncated to be the proper length of characters, so some meta field inside FMG was being used against the FGT - not the name you would see in the FMG WebUI.
To fix this I had to:
[ol]
Just renaming the ADOM didn't work - that change didn't trickle down behind the scenes to change the name FMG wanted to use for the certificate.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am facing the same problem. The ADOM name does not exceed 35 characters. The ADOM name I am using is test, still I get the same VPN certificate error when pushing a policy. Any suggestions?
Regards,
Chirag
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What version of FMG are you running?
I haven't run into this issue since then (2 years ago) but the ADOM name could not be longer than 23 characters, to account for the total character length of a certificate (35 characters) when that extra stuff is added on the end.
You said the name of your ADOM is "test". Did you rename your ADOM? Renaming my ADOM did not fix it for me, I had to actually delete the ADOM and re-create from scratch with a shorter name.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I really appreciate your prompt response. I am using FortiManager 5.4 as well as FortiGate 5.4. I have not renamed the ADOM name. I created a fresh ADOM named "test" (without quotes), still the issue persists. I tried with/without ADOMs, still the same issue. Kindly advise further.
Regards,
Chirag
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I tried it on a physical FortiGate unit, and it works just fine. It looks like there is some issue while adding a FortiGate VM. I don't know why the certificate error occurs when I push a policy from FortiManager to FortiGateVM.
Errors:
"Input is not a valid CA certificate.
F565 (root_CA2) $ set range global F565 (root_CA2) $ next The field ca is empty!"
I tried the default hostname of FortiGate as well as a short one "F565". This is version 5.6.5. Same issue with 5.4.2 version.
Regards,
Chirag
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the same issue only with version 6.02
Start installing FW-RZB-01 $ config vpn certificate ca FW-RZB-01 (ca) $ edit "AVR10_CA2" FW-RZB-01 (AVR10_CA2) $ set ca "-----BEGIN CERTIFICATE----- FW-RZB-01 (AVR10_CA2) $ MIIDADCCAeigAwIBAgIgNkI2NkQwMDlCMDMyNDQyRkU0NkE2QjMyRTQ1MTUwQ0Iw <<
>>> FW-RZB-01 (AVR10_CA2) $ DG5W6w== FW-RZB-01 (AVR10_CA2) $ -----END CERTIFICATE-----" Input is not a valid CA certificate. FW-RZB-01 (AVR10_CA2) $ set range global FW-RZB-01 (AVR10_CA2) $ next The field ca is empty! node_check_object fail! for ca Attribute 'ca' MUST be set. Command fail. Return code 1 FW-RZB-01 (ca) $ end
install and save finished status=FAILED
Regards
Peter
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any version in a VM that worked for you? I tried many versions and I am facing the same issue. When I tried version 6, I was not even able to add a FortiGate device. I asked one of Fortinet trainers and he said he never got into such issues. Not sure why I am able to recreate the problem and others are not able to.
Team,
Please help.
Regards,
Chirag Rao
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Having the same issue. Has anyone solved? I am able to add the cert to the firewall directly, but cannot add it through FortiManager.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
s66jones wrote:Having the same issue. Has anyone solved? I am able to add the cert to the firewall directly, but cannot add it through FortiManager.
Hi, did you install the cert into the FTG KVM or physical unit instead ?
I'm not able to install to KVM fortigate. SOme workaround ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the same issue when trying to install policy package and device settings to FGT from FMG. FMGT created a root_CA2 but invalid format. How can I fix the issue?