- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiOS 5.2.3 Certificate Problems
Hi All
Since upgrading our Fortigate 100D to 5.2.3 we can no longer view the certificate page under "System-Certificates" the page is simply blank.... I've tried disabling and enabling the Certificate Feature but still nothing...
Could anyone point me in the right direction...
Please see attached image
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you still see the certificates under the relevant section from the CLI? For instance, for certificates you could view before under System > Certificates > Local, do they appear if you enter:
config vpn certificate local
show
Regards, Chris McMullan Fortinet Ottawa
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Christopher McMullan_FTNT wrote:Can you still see the certificates under the relevant section from the CLI? For instance, for certificates you could view before under System > Certificates > Local, do they appear if you enter:
config vpn certificate local
show
Hi Chris
Thanks for the reply... Yes i can view the certificates from the console when issuing the command's you've listed above...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just out of curiosity, what upgrade path did you follow? What previous OS version was running on the FortiGate?
Can you select one of the missing certificates for SSLVPN connections (server authentication) or for deep inspection?
If you're sure you followed the correct upgrade path, I would open a ticket with Fortinet TAC.
Regards, Chris McMullan Fortinet Ottawa
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
for verfication and to know but has probably nothing to do with your issue it is regarding certificate following important to know:
- On a FortiOS 5.0.x each Factory Default Certificate is absolutly the same for "every" installation WorldWide. This beahaviour is described here: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4948
- Also on FortiOS 5.0.x the FortiOS does "absolutly no check" for whatever Certificate which means FortiOS 5.0.x does only check validity meaning date and CN. There is "absolutly no check on official Root CA's like Verisign etc.". This circumstance is for high security env. a issue and has to be noticed specially if the Explicit Proxy is used.
- On a FortiOS 5.2 each Factory Default Certificate is "unique to the device" which means will be initiated to generated on a "fresh" installation as soon as a Certificate depending function is used the first time. From this point a increasment from security perspective and specialy covered with several message on the Web Mgmt. Interface on FortiOS 5.2.3 because a lot of people are not awae of this circumstances. "IF" a FortiOS 5.0.x will be upgrade to FortiOS 5.2.x and the Certificate base on FortiOS 5.0.x is somewhere in use the "unique" Certificate based on FortiOS 5.2.x "WILL BE NOT DONE" meaning in such circumstances the Certificate based on FortiOS 5.0.x will be on FortiOS 5.2.x unchanged/untouched.
- As a pity the circumstances that the Certificate will be not checked agains CA is still the case and from my point of view a big issue but it is as it is meaning still only validity (date) and CN will be checked nothing else. Hoping that this will come in 5.4.x.
If you like to re-generate the certificate to be unique after a upgrade etc. you can force the regeneration but be aware what happens after meaning if you have the old certificate used on the clients (deep inspection, ssl-vpn etc.) because in such a case you have to roll-out new etc.
# execute vpn certificate local generate default-ssl-ca
Afterwards you can check the Cert:
# config vpn certificate local # edit Fortinet_CA_SSLProxy # get
From this point of view "IF" you have a unique Cert used on the Clients for deep-inspection, SSL-VPN or for whatever and you change the device for RMA etc. you have to be aware to fully backup the Cert as to import new on the new device in case of to cover the already installed Cert on the Client for exampel deep-inspection etc. because under 5.2.x the Cert is/can be unique to the device!
Hope this helps also to bring a little bit light in dark
have fun
Andrea
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Richard,
I have an identical problem on two different firewall 200D and a 100D and I have identical results
I beleive this is something to do with extended validation SSL certificates, as if I load a standard SSL certificate - all works fine, but I seem to get the "white screen of certificate death" when I try load up an EV certificate and can only get the correct certificate menu back once I have deleted the EV certificate via SSH session
I know when the this EV certificate is loaded, it is not fuctioning, as our SSL offload/load balancing does not fuction when this is loaded
I had to downgrade the firewall from the 5.2.3 back to 5.2.2 and the certificate upload and the EV certificate worked fine
Im still waiting for an explanation to this from Fortigate as I have a ticket open with them in regards to this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Robert
Thats good to know :) at least i'm not the only one, i have logged a request with Fortinet too...
I will post the outcome once the issue has been resolved
Robert2621 wrote:
Richard,
I have an identical problem on two different firewall 200D and a 100D and I have identical results
I beleive this is something to do with extended validation SSL certificates, as if I load a standard SSL certificate - all works fine, but I seem to get the "white screen of certificate death" when I try load up an EV certificate and can only get the correct certificate menu back once I have deleted the EV certificate via SSH session
I know when the this EV certificate is loaded, it is not fuctioning, as our SSL offload/load balancing does not fuction when this is loaded
I had to downgrade the firewall from the 5.2.3 back to 5.2.2 and the certificate upload and the EV certificate worked fine
Im still waiting for an explanation to this from Fortigate as I have a ticket open with them in regards to this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just to keep up to date, I have shown an engineer from Fortigate the issue with EV certs, they have now gone into a huddle and hopefully going to see some action with this...
But by God, trying to get stuff done - its like trying to extract teeth from a duck - but going the long way around...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See below for Fortinet's reply.... Sh!t
"Dear Customer, Thank you for contacting Fortinet Technical Support. My name is Mladen and I will be assisting you with this case. You said when you formatted the device you were able to see the certificate page but when you imported backup config file it broke again. It is because config file was corrupted during firmware upgrade procedure. Please fortmat the unit like you did it before and configure the unit from scratch (do NOT load config file). Please kindly let me know if you need any further assistance."
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And for this we pay a support contract?
Intresting because I can prove that this isnt the case...
take a newly fortmatted device with 5.2.3 on and no config other than the default, and try to load up a EV certificate - Look "Whate screen of certificate death" hence no corrupted saved configuration file...