FortiOS upgrade and reinstallation of Certificates for SSL deep inspection on end devices

heyyo · ‎06-24-2024

Hi, I had upgraded my FortiGate from FortiOS 7.2.x to FortiOS 7.4.3. I am currently using deep packet inspection ssl profile. Is it expected that I also import again Fortinet_CA_SSL into my browser every time I upgrade? Is this a normal process - Upgrade of FortiOS = Import of Certificate again into the browser?

I am currently having issues with SSL after the upgrade.

Thank you!

Toshi_Esumi · ‎06-24-2024

Generally shouldn't need to, unless your FGTs are in HA and an upgrade caused a primary and secondary swap. That certificate's CN is the FGT unit's S/N. So user devices need to have all cluster unit's certificates installed.

Toshi

View solution in original post

Tahsin · ‎06-25-2024

Hi heyyo,

There is no need import certificate again.If you any change after upgrade, myabe you have a bug or you can check your configuration again.

BR.

If my writings have helped you find a solution. Please like so that others can easily access it as well.
TahsinCabuk

View solution in original post

pavankr5 · ‎06-25-2024

Hello @heyyo ,

Generally there is no need to import the certificate again when you upgrade your FortiGate firmware, The certificate used for SSL deep inspection should persist through upgrades unless it has been explicitly changed or re-generated during the upgrade process.

As you informed you are facing this issue to verify the Certificate

Check if the existing Fortinet_CA_SSL certificate is still present and correctly configured on FortiGate by running the below command

config vpn certificate local
show full

Also, we need to check the logs for any SSL-related errors that might indicate the root cause of the issue.

Thanks,

Pavan

View solution in original post

Toshi_Esumi · ‎06-24-2024

Generally shouldn't need to, unless your FGTs are in HA and an upgrade caused a primary and secondary swap. That certificate's CN is the FGT unit's S/N. So user devices need to have all cluster unit's certificates installed.

Toshi

Tahsin · ‎06-25-2024

Hi heyyo,

There is no need import certificate again.If you any change after upgrade, myabe you have a bug or you can check your configuration again.

BR.

If my writings have helped you find a solution. Please like so that others can easily access it as well.
TahsinCabuk

pavankr5 · ‎06-25-2024

Hello @heyyo ,

Generally there is no need to import the certificate again when you upgrade your FortiGate firmware, The certificate used for SSL deep inspection should persist through upgrades unless it has been explicitly changed or re-generated during the upgrade process.

As you informed you are facing this issue to verify the Certificate

Check if the existing Fortinet_CA_SSL certificate is still present and correctly configured on FortiGate by running the below command

config vpn certificate local
show full

Also, we need to check the logs for any SSL-related errors that might indicate the root cause of the issue.

Thanks,

Pavan

FortiOS upgrade and reinstallation of Certificates for SSL deep inspection on end devices

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website