Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
heyyo
New Contributor III

FortiOS upgrade and reinstallation of Certificates for SSL deep inspection on end devices

Hi, I had upgraded my FortiGate from FortiOS 7.2.x to FortiOS 7.4.3. I am currently using deep packet inspection ssl profile. Is it expected that I also import again Fortinet_CA_SSL into my browser every time I upgrade? Is this a normal process - Upgrade of FortiOS = Import of Certificate again into the browser?

I am currently having issues with SSL after the upgrade.

 

Thank you!

3 Solutions
Toshi_Esumi
SuperUser
SuperUser

Generally shouldn't need to, unless your FGTs are in HA and an upgrade caused a primary and secondary swap. That certificate's CN is the FGT unit's S/N. So user devices need to have all cluster unit's certificates installed.

Toshi

View solution in original post

Tahsin
New Contributor II

Hi heyyo,

 

There is no need import certificate again.If you any change after upgrade, myabe you have a bug or you can check your configuration again.

 

BR.

If my writings have helped you find a solution. Please like so that others can easily access it as well.
TahsinCabuk

View solution in original post

If my writings have helped you find a solution. Please like so that others can easily access it as well.TahsinCabuk
pavankr5
Staff
Staff

Hello @heyyo ,

 

Generally there is no need to import the certificate again when you upgrade your FortiGate firmware, The certificate used for SSL deep inspection should persist through upgrades unless it has been explicitly changed or re-generated during the upgrade process.

As you informed you are facing this issue to verify the Certificate

Check if the existing Fortinet_CA_SSL certificate is still present and correctly configured on FortiGate by running the below command

config vpn certificate local
show full

Also, we need to check the logs for any SSL-related errors that might indicate the root cause of the issue.

Thanks,

Pavan

View solution in original post

3 REPLIES 3
Toshi_Esumi
SuperUser
SuperUser

Generally shouldn't need to, unless your FGTs are in HA and an upgrade caused a primary and secondary swap. That certificate's CN is the FGT unit's S/N. So user devices need to have all cluster unit's certificates installed.

Toshi

Tahsin
New Contributor II

Hi heyyo,

 

There is no need import certificate again.If you any change after upgrade, myabe you have a bug or you can check your configuration again.

 

BR.

If my writings have helped you find a solution. Please like so that others can easily access it as well.
TahsinCabuk
If my writings have helped you find a solution. Please like so that others can easily access it as well.TahsinCabuk
pavankr5
Staff
Staff

Hello @heyyo ,

 

Generally there is no need to import the certificate again when you upgrade your FortiGate firmware, The certificate used for SSL deep inspection should persist through upgrades unless it has been explicitly changed or re-generated during the upgrade process.

As you informed you are facing this issue to verify the Certificate

Check if the existing Fortinet_CA_SSL certificate is still present and correctly configured on FortiGate by running the below command

config vpn certificate local
show full

Also, we need to check the logs for any SSL-related errors that might indicate the root cause of the issue.

Thanks,

Pavan

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors