So I have a problem. When we deployed several 60E devices, we worked with Fortinet to create a "golden config." It allowed us to put a basic config on a USB stick, only changing certain variables such as hostname, IP address, gateway IP, VLAN info, etc for each one before installing it using the USB boot install.
The problem is, when they downloaded that first config for us from the first device we deployed, they didn't flag the Fortinet_CA_SSL certificate as one of the variables that needed to change with each one. So every 60E now has the same default SSL cert that the first 60E ployed has - so all of them are identical. Instead of each SSL cert showing the serial of that unique device, they have the serial of the first 60E.
So my question is, is there a way to regenerate that certificate or generate a new one so that each 60E has it's own unique default SSL certificate again?
Happened to me as well, oh my.
One fix:
- get the config
- delete the blocks "config vpn cert" and "config firewall ssl"
- restore this
I haven't tried this on a 'botched' FGT but I've used this procedure when cloning.
Second fix:
exec vpn certificate local generate default?
for ssl-ca, ssl-ca-untrusted, ssl-key-certs or ssl-serv-key.
Again, lacking a msiconfigured cloned FGT atm, haven't tried it out.
If you do, please post your findings.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1741 | |
1109 | |
755 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.