Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ergotherego
Contributor II

Cannot sync VPN CA certificate from FMG to FGT [FIXED]

Don't use more than 23 characters for your ADOM name.

 

Ran into this and wanted to post about it, in case someone else encounters it.

 

Issue was that doing policy package installs against a FGT the FMG would always want to install a VPN CA certificate, but fail. Even though the certificate would appear to be on the FGT. The failed install log would show something like:

 

Copy device global objects "vpn certificate ca", "CUSTOMER-ADOM-NAME-IS-HERE_Internal_CA", id=893, COMMIT FAIL - duplicate

 

The problem is that FMG (5.4.1) will automatically create VPN CA certificates based on the ADOM name, the maximum character length for certificates is 35 characters, and it will add "_Internal_CA" to the end of the certificate name. In this case, this was more than 35 characters so the FMG was never able to properly install the cert.

 

Interesting, both FMG and the FGT showed the actual certificate name was truncated to be the proper length of characters, so some meta field inside FMG was being used against the FGT - not the name you would see in the FMG WebUI.

 

To fix this I had to:

 

[ol]
  • Purge the ADOM. Delete the device and policy package
  • Re-create the ADOM using a shorter name (23 characters or less)
  • Re-add device and re-import the policy[/ol]

    Just renaming the ADOM didn't work - that change didn't trickle down behind the scenes to change the name FMG wanted to use for the certificate.

  • 12 REPLIES 12
    netw0rkn1nja

    @montoro - I ran into a similar issue in my lab... In my case the root_CA2 certificate was not being used or referenced anywhere.  To resolve the problem I added CA Certificates to view (not enabled by default) and deleted the root_CA2 certificate. 

     

    (Policy & Objects > Object Configurations > Tools > Display Options > Advanced > CA Certificates)

    [image][/image]

     

    Go back to Device Manager and re-synchronize device settings from the problem FortiGate(s). Once the config status is synchronized you can push the policy package to your FortiGate(s) and you should notice the root_CA2 certificate is no longer being pushed to your devices.

     

    *To manually synchronize the device configuration in the GUI you can open the problematic device > Open Revision History > and select Retrieve Config

    [image][/image]

     

    Hope that helps you.

    #GNS3 #KVM

    mgar
    New Contributor II

    Copy device global objects

    Post vdom failed: error vpn certificate ca - root_CA2 :-2 - This CA certificate is duplicated.

     

    Basically every FGT has pre-installed Fortinet-Root-CA, So when you manage the FGT from FMG, manager also trying to push the same root CA again as per its global objects settings, which is not needed hence disable the same from FMG so that it does not make any such duplicate attempt to install the same root CA-

     

    Policy & Objects -- > Object Configuration -- > CLI only objects -- > vpn --> certificate --> ca --> select and delete root_CA2

     

    MT13
    New Contributor

    Hi,

     

    I found out where is the problem! 

    The problem is that you can't see these certificates until you select that you would like to see them in FortiManager:

    - Double click your device in FortiManager

    - Disply Options

    - Under System - select Certificates (you have to choose Customize)

    - Now you can choose Certificates in the menu

    - Just delete Root2_CA certificate

    ...and now you can deploy!

     

     

    Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors