Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ergotherego
Contributor II

Cannot sync VPN CA certificate from FMG to FGT [FIXED]

Don't use more than 23 characters for your ADOM name.

 

Ran into this and wanted to post about it, in case someone else encounters it.

 

Issue was that doing policy package installs against a FGT the FMG would always want to install a VPN CA certificate, but fail. Even though the certificate would appear to be on the FGT. The failed install log would show something like:

 

Copy device global objects "vpn certificate ca", "CUSTOMER-ADOM-NAME-IS-HERE_Internal_CA", id=893, COMMIT FAIL - duplicate

 

The problem is that FMG (5.4.1) will automatically create VPN CA certificates based on the ADOM name, the maximum character length for certificates is 35 characters, and it will add "_Internal_CA" to the end of the certificate name. In this case, this was more than 35 characters so the FMG was never able to properly install the cert.

 

Interesting, both FMG and the FGT showed the actual certificate name was truncated to be the proper length of characters, so some meta field inside FMG was being used against the FGT - not the name you would see in the FMG WebUI.

 

To fix this I had to:

 

[ol]
  • Purge the ADOM. Delete the device and policy package
  • Re-create the ADOM using a shorter name (23 characters or less)
  • Re-add device and re-import the policy[/ol]

    Just renaming the ADOM didn't work - that change didn't trickle down behind the scenes to change the name FMG wanted to use for the certificate.

  • 12 REPLIES 12
    chirag_rao
    New Contributor

    I am facing the same problem. The ADOM name does not exceed 35 characters. The ADOM name I am using is test, still I get the same VPN certificate error when pushing a policy. Any suggestions?

     

    Regards,

    Chirag

    ergotherego

    What version of FMG are you running?

     

    I haven't run into this issue since then (2 years ago) but the ADOM name could not be longer than 23 characters, to account for the total character length of a certificate (35 characters) when that extra stuff is added on the end.

     

    You said the name of your ADOM is "test". Did you rename your ADOM? Renaming my ADOM did not fix it for me, I had to actually delete the ADOM and re-create from scratch with a shorter name.

    chirag_rao

    Hi,

     

    I really appreciate your prompt response. I am using FortiManager 5.4 as well as FortiGate 5.4. I have not renamed the ADOM name. I created a fresh ADOM named "test" (without quotes), still the issue persists. I tried with/without ADOMs, still the same issue. Kindly advise further.

     

    Regards,

     

    Chirag

    chirag_rao

    Hi,

     

    I tried it on a physical FortiGate unit, and it works just fine. It looks like there is some issue while adding a FortiGate VM. I don't know why the certificate error occurs when I push a policy from FortiManager to FortiGateVM.

     

    Errors: 

    "Input is not a valid CA certificate. 

    F565 (root_CA2) $ set range global F565 (root_CA2) $ next The field ca is empty!"

     

    I tried the default hostname of FortiGate as well as a short one "F565". This is version 5.6.5. Same issue with 5.4.2 version.

     

    Regards,

    Chirag

     

    Peter_Hagenaars

    I have the same issue only with version 6.02

     

    Start installing FW-RZB-01 $ config vpn certificate ca FW-RZB-01 (ca) $ edit "AVR10_CA2" FW-RZB-01 (AVR10_CA2) $ set ca "-----BEGIN CERTIFICATE----- FW-RZB-01 (AVR10_CA2) $ MIIDADCCAeigAwIBAgIgNkI2NkQwMDlCMDMyNDQyRkU0NkE2QjMyRTQ1MTUwQ0Iw <<

    >>> FW-RZB-01 (AVR10_CA2) $ DG5W6w== FW-RZB-01 (AVR10_CA2) $ -----END CERTIFICATE-----" Input is not a valid CA certificate. FW-RZB-01 (AVR10_CA2) $ set range global FW-RZB-01 (AVR10_CA2) $ next The field ca is empty! node_check_object fail! for ca Attribute 'ca' MUST be set. Command fail. Return code 1 FW-RZB-01 (ca) $ end

    install and save finished status=FAILED

    Regards

     

    Peter

    Regards Peter
    chirag_rao

    Any version in a VM that worked for you? I tried many versions and I am facing the same issue. When I tried version 6, I was not even able to add a FortiGate device. I asked one of Fortinet trainers and he said he never got into such issues. Not sure why I am able to recreate the problem and others are not able to.

     

    Team,

     

    Please help.

     

    Regards,

    Chirag Rao

    s66jones

    Having the same issue. Has anyone solved? I am able to add the cert to the firewall directly, but cannot add it through FortiManager.

    amelguizo

    s66jones wrote:

    Having the same issue. Has anyone solved? I am able to add the cert to the firewall directly, but cannot add it through FortiManager.

    Hi, did you install the cert into the FTG KVM or physical unit instead ?

    I'm not able to install to KVM fortigate. SOme workaround ?

     

     

     

    montoro

    I have the same issue when trying to install policy package and device settings to FGT from FMG. FMGT created a root_CA2 but invalid format. How can I fix the issue?

    Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors