Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevice
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: SSLVPN Certificate Parse Error
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSLVPN Certificate Parse Error
Hello Guys,
i want to renew my certificate for ssl vpn over ssh. it worked but now i get the error "Input is not a valid/matched certificate. node_check_object fail! for certificate".
Can someone help me pls. I've post the log from my ssh commands.
Thanks
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you need to import a certificate and key to be able to use it as SSLVPN server cert.
do you have a .p12 of .pfx file for this?
or did you use the same key to generate this new cert?
EDIT please dont share the certificate + key if you post a reply, it probably is password protected but still, rather keep that save.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Exactly the same problem. Were you able to figure it out?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you get only a renewed cert and you don't have private key (included in the PKCS#12(PFX) file) and the password you used to generate it originally, you have to do this CLI method to preserve the encrypted private key while swapping the cert to the new one.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-import-a-new-local-certificate-afte...
Toshi
Created on 09-09-2025 11:31 PM Edited on 09-10-2025 12:05 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for reply.
I see this article and I confirm that this error text with error number "-651" means no matching certificate for the existing key. When I try to renew certificate only for the same, existed key, as described in the article above, it DOES work. However, it is not real-world scenario. Typically renewed certs come with new key.
I found another article:
https://community.fortinet.com/t5/FortiGate/Technical-Note-Upload-Certificate-using-PEM-format/ta-p/...
Whatever I try I always get an error "Invalid private key, password may be required" when I try to upload new key, whether the PEM is encrypted with password or not. "set password" does not work either. The article just suggests "In such cases try getting a new key from the certificate authority and reupload." but this explain nothing unfortunately.
The question is whether it is possible at all to update existing certificate in-place with new key or not?
UPDATE: I finally found proper format for a key which is PKCS#8 with no password and now it works. Certificate gets in-place renewed with new key. Version is 7.6.3.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you got a new cert with a new private key, that's a completely new certificate set. You just need to import it as a new one. It doesn't matter the current one exist or not.
I never tried PEM installation. Try create PKCS#12 format file based on those unencrypted cert+key. There are multiple tools available. But I think the most common one is OpenSSL on Linux. Just make sure you save the password you used to encrypt to a safe and foundable place.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As I mentioned above, it isn't correct. New cert and with new key can be successfully updated in-place.
Created on 09-10-2025 12:06 AM Edited on 09-10-2025 12:08 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After the second thought, if the certificate name is the same, it would fail.
You probably need to remove existing one first to import the new one.
To do that, you need to use another one like the factory default one temporarily as a place holder. Otherwise, you wouldn't be able to delete an used cert.
That's another reason I keep doing the first KB method to just swap the cert withouth chainging the private key.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No need to remove existed one, no need to change references. Certificate successfully updated in-place with new key.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I’ve run into a similar issue before, and in my case it turned out the certificate format wasn’t right. When you renew it over SSH, make sure both the cert and key are in PEM format, and don’t forget to include the intermediate CA if needed. This Fortinet article explains the process step by step and might help clear the error:
https://community.fortinet.com/t5/FortiGate/Read moreTechnical-Note-Upload-Certificate-using-PEM-format/ta-p/197317
Labels
-
FortiGate
10,594 -
FortiClient
2,159 -
FortiManager
889 -
5.2
687 -
FortiAnalyzer
681 -
5.4
638 -
FortiSwitch
584 -
FortiClient EMS
564 -
FortiAP
559 -
IPsec
420 -
6.0
416 -
SSL-VPN
376 -
FortiMail
372 -
5.6
362 -
FortiNAC
283 -
FortiWeb
252 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
192 -
FortiAuthenticator
173 -
FortiGuard
160 -
5.0
152 -
Firewall policy
144 -
FortiGate-VM
131 -
6.4
128 -
FortiCloud Products
116 -
FortiSIEM
113 -
FortiToken
113 -
FortiGateCloud
112 -
Wireless Controller
95 -
Customer Service
88 -
High Availability
86 -
FortiProxy
77 -
ZTNA
76 -
Routing
75 -
Fortivoice
73 -
SAML
71 -
DNS
71 -
VLAN
71 -
FortiEDR
69 -
FortiADC
68 -
BGP
67 -
Authentication
66 -
certificate
65 -
RADIUS
61 -
LDAP
60 -
fortilink
55 -
SSO
54 -
FortiSandbox
53 -
NAT
53 -
FortiExtender
51 -
4.0MR3
49 -
vdom
47 -
Application control
45 -
FortiDNS
43 -
Interface
43 -
Logging
41 -
Virtual IP
41 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
35 -
SSL SSH inspection
35 -
Web profile
35 -
FortiConnect
34 -
Automation
33 -
FortiWAN
31 -
FortiConverter
30 -
FortiGate v5.2
27 -
Traffic shaping
26 -
Static route
26 -
SNMP
25 -
API
25 -
SSID
25 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
FortiGate Cloud
23 -
System settings
22 -
OSPF
20 -
WAN optimization
20 -
FortiMonitor
19 -
Security profile
19 -
Web rating
19 -
Web application firewall profile
18 -
IP address management - IPAM
18 -
FortiSoar
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
FortiAP profile
16 -
Explicit proxy
15 -
Admin
15 -
Proxy policy
15 -
FortiCASB
14 -
IPS signature
14 -
NAC policy
14 -
Intrusion prevention
14 -
FortiManager v4.0
13 -
DNS filter
13 -
FortiManager v5.0
12 -
FortiDeceptor
12 -
users
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiRecorder
11 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
FortiBridge
10 -
Trunk
10 -
Traffic shaping profile
10 -
Authentication rule and scheme
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiCarrier
5 -
FortiNDR
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiEdge Cloud
3 -
FortiInsight
2 -
FortiAI
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
Lacework
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2592 | |
| 1380 | |
| 800 | |
| 659 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.