This article outlines the instances when the server certificate for the FortiClient EMS Cloud instance gets renewed, and when it approaches expiration, an administrator will encounter the following warning message.

As stated in the warning message above, the FortiGate must be re-authorized, however, it may fail with the error below due to cached certificate entry on the FortiGate.

Troubleshooting step to verify the verified capabilities:

(global) di test application fcnacd 2

EMS context status:

FortiClient EMS number 1:

name(id): Fortinet-Test(1) confirmed: yes

fetched-serial-number: FCTEMS0000xxxxx

user-data:

verified capabilities: false     <- Failed the capabilities.

verified identity: false

interface-selection-method: 0

verify-peer-method: 4

Websocket status: disconnected, oif: 0

If the reauthorization is done from CLI, the following error may occur:

execute fctems verify 1
Error in requesting EMS fabric connection: -4
issue in getting capabilities. Server certificate does not match previously configured EMS certificate.
Error (-1@_get_capabilities:464).

To resolve this issue, unverify it:

execute fctems unverify <EMS ID>

And then verify it again:

execute fctems verify <EMS ID>

Note: This article also applies to the FortiClientEMS server.