Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
SimoSimo77
New Contributor III

Created on ‎12-24-2025 02:29 AM

Fortiauthenticator Default-Server-Certificate expiration

Hello,

 

The Default-Server-Certificate expiration will expire in 5 days.

 

We use FAC for WIFI EAP-TLS and VPN MFA.

 

I can see that the certificat is used in LDAP service, OAuth service and maybe in other services.

 

It is safe to keep using this certificate after the expiration, or should i renew it ? i wanna also the impact if i renew the certificate.

 

Capture d'écran 2025-12-24 105648.png

 

Capture d'écran 2025-12-24 111921.png

 

Capture d'écran 2025-12-24 112059.png

Labels:
230
0 Kudos
1 Solution
SimoSimo77
New Contributor III

Created on ‎12-31-2025 01:11 AM

Hello,

 

I had to reboot the FAC HA cluster, so the certificat was generated automatically.

 

If you are in HA you have to shutdown both device, start the primary device, check if the certificat was renewed automatically and then start the seconde device and let it sync.

Thank you

View solution in original post

126
5 REPLIES 5
AEK
SuperUser
SuperUser

Created on ‎12-24-2025 02:57 AM

Hi Simo

This certificate is self signed, so it is already not trusted by any equipment, so I guess you are forcing all your equipment to trust it.

You should create your own CA (if not already done) that will sign all you certificates.

Regarding your question, after the expiration you will probably have problems with some equipment, since most of the modern equipment that follow minimum security standards reject the expired certificates.

AEK
AEK
225
0 Kudos
SimoSimo77
New Contributor III
In response to AEK

Created on ‎12-24-2025 03:39 AM

Hello @AEK 

 

I can see a GPO on my domain controller that force computers to trust the FAC root CA.

 

Is renewing the expired certificate may cause an impact on our production or it will be transparent ?


Capture d'écran 2025-12-24 123544.pngCapture d'écran 2025-12-24 123212.png

 

Capture d'écran 2025-12-24 123427.png

 

 

218
0 Kudos
AEK
SuperUser
SuperUser
In response to SimoSimo77

Created on ‎12-24-2025 04:05 AM

Create a new certificate signed with the same CA and install it with its private key on a non-critical equipment, then try use it and see if it has any impact.

It shouldn't have any impact but testing like suggested above is safer before deploying on critical equipment.

AEK
AEK
209
0 Kudos
SimoSimo77
New Contributor III

Created on ‎12-24-2025 04:40 AM

Hello @AEK 

 

I think there is a misunderstanding.

 

The FAC internal CA certificate will not expire until 2032.


The only certificate that is expiring in 5 days is the default-server-certificate.

 

I don’t see any reason to generate a new CA certificate in this case.

205
0 Kudos
SimoSimo77
New Contributor III

Created on ‎12-31-2025 01:11 AM

Hello,

 

I had to reboot the FAC HA cluster, so the certificat was generated automatically.

 

If you are in HA you have to shutdown both device, start the primary device, check if the certificat was renewed automatically and then start the seconde device and let it sync.

Thank you

127
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.