- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiGate GUI won't use new SSL certificate
I have generated new SSL certificates for the FortiGate firewall, and trusting the new CA. But it appears that FortiGate is still using the old SSL GUI certificate.
I followed this document for regeneration:
https://docs.fortinet.com/document/fortigate/7.2.8/administration-guide/663527
# execute vpn certificate local generate default-gui-mgmt-cert
# execute vpn certificate local generate default-ssl-ca
# execute vpn certificate local generate default-ssl-ca-untrusted
# execute vpn certificate local generate default-ssl-key-certs
# execute vpn certificate local generate default-ssl-serv-key
My hardware is FortiGate-60F, firmware version 7.2.8
The old certificate is not expired, but I don't trust the old CA anymore. After switching to the new CA, and installing the new CA on my Mac, FortiGate is still presenting the old certificate when I try to log in to admin console via GUI.
Inspecting the Certificate page, I only see the new certificates, but SOMEHOW FortiGate is presenting the old certificate, which shows up as a big red flag on my Mac, and I have to agree to trust the certificate of the old untrustworthy CA.
Is this a cache problem or something?
- Labels:
-
FortiGate
-
SSL SSH inspection
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok I solved the problem:
Step 1:
I exported the system configuration to a yaml file, then reset FortiGate to factory, then imported the yaml configuration back. This is a fresh install with previous config so to speak.
Step 2:
I created a new certificate and set it to "System -> Settings -> HTTPS server certificate".
After some time, I switched "System -> Settings -> HTTPS server certificate" back to the Fortinet_GUI_Server.
Now FortiGate is using the regenerated Fortinet_GUI_Server certificate.
Checking the Admin GUI certificate again, green checkmark "this certificate is valid".
Probably Step 2 is suffice, hope it helps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Step two works by itself.
You just have to let it sit on the "new" certificate for a while before switching back to the "Fortinet_GUI_Server" one.
Not sure why, but overnight seems to be the right ammount of time.
