- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Cannot sync VPN CA certificate from FMG to FGT [FI...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cannot sync VPN CA certificate from FMG to FGT [FIXED]
Don't use more than 23 characters for your ADOM name.
Ran into this and wanted to post about it, in case someone else encounters it.
Issue was that doing policy package installs against a FGT the FMG would always want to install a VPN CA certificate, but fail. Even though the certificate would appear to be on the FGT. The failed install log would show something like:
Copy device global objects "vpn certificate ca", "CUSTOMER-ADOM-NAME-IS-HERE_Internal_CA", id=893, COMMIT FAIL - duplicate
The problem is that FMG (5.4.1) will automatically create VPN CA certificates based on the ADOM name, the maximum character length for certificates is 35 characters, and it will add "_Internal_CA" to the end of the certificate name. In this case, this was more than 35 characters so the FMG was never able to properly install the cert.
Interesting, both FMG and the FGT showed the actual certificate name was truncated to be the proper length of characters, so some meta field inside FMG was being used against the FGT - not the name you would see in the FMG WebUI.
To fix this I had to:
[ol]
Just renaming the ADOM didn't work - that change didn't trickle down behind the scenes to change the name FMG wanted to use for the certificate.
- « Previous
-
- 1
- 2
- Next »
12 REPLIES 12
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@montoro - I ran into a similar issue in my lab... In my case the root_CA2 certificate was not being used or referenced anywhere. To resolve the problem I added CA Certificates to view (not enabled by default) and deleted the root_CA2 certificate.
(Policy & Objects > Object Configurations > Tools > Display Options > Advanced > CA Certificates)
[image][/image]
Go back to Device Manager and re-synchronize device settings from the problem FortiGate(s). Once the config status is synchronized you can push the policy package to your FortiGate(s) and you should notice the root_CA2 certificate is no longer being pushed to your devices.
*To manually synchronize the device configuration in the GUI you can open the problematic device > Open Revision History > and select Retrieve Config
[image][/image]
Hope that helps you.
#GNS3 #KVM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Copy device global objects
Post vdom failed: error vpn certificate ca - root_CA2 :-2 - This CA certificate is duplicated.
Basically every FGT has pre-installed Fortinet-Root-CA, So when you manage the FGT from FMG, manager also trying to push the same root CA again as per its global objects settings, which is not needed hence disable the same from FMG so that it does not make any such duplicate attempt to install the same root CA-
Policy & Objects -- > Object Configuration -- > CLI only objects -- > vpn --> certificate --> ca --> select and delete root_CA2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I found out where is the problem!
The problem is that you can't see these certificates until you select that you would like to see them in FortiManager:
- Double click your device in FortiManager
- Disply Options
- Under System - select Certificates (you have to choose Customize)
- Now you can choose Certificates in the menu
- Just delete Root2_CA certificate
...and now you can deploy!
- « Previous
-
- 1
- 2
- Next »
Related Posts
- free vpn client certificate problems 123 Views
- Issues with activating proxy mode in... 81 Views
- LDAPS issue, 'Can't contact LDAP server' 341 Views
- Removing VLAN and VLAN switch 103 Views
- Two different websites (domains) on two... 107 Views
Labels
-
FortiGate
6,531 -
FortiClient
1,303 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.