Just out of curiosity, what upgrade path did you follow? What previous OS version was running on the FortiGate?

Can you select one of the missing certificates for SSLVPN connections (server authentication) or for deep inspection?

If you're sure you followed the correct upgrade path, I would open a ticket with Fortinet TAC.

Hi

for verfication and to know but has probably nothing to do with your issue it is regarding certificate following important to know:

- On a FortiOS 5.0.x each Factory Default Certificate is absolutly the same for "every" installation WorldWide. This beahaviour is described here: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4948

- Also on FortiOS 5.0.x the FortiOS does "absolutly no check" for whatever Certificate which means FortiOS 5.0.x does only check validity meaning date and CN. There is "absolutly no check on official Root CA's like Verisign etc.". This circumstance is for high security env. a issue and has to be noticed specially if the Explicit Proxy is used.

- On a FortiOS 5.2 each Factory Default Certificate is "unique to the device" which means will be initiated to generated on a "fresh" installation as soon as a Certificate depending function is used the first time. From this point a increasment from security perspective and specialy covered with several message on the Web Mgmt. Interface on FortiOS 5.2.3 because a lot of people are not awae of this circumstances. "IF" a FortiOS 5.0.x will be upgrade to FortiOS 5.2.x and the Certificate base on FortiOS 5.0.x is somewhere in use the "unique" Certificate based on FortiOS 5.2.x "WILL BE NOT DONE" meaning in such circumstances the Certificate based on FortiOS 5.0.x will be on FortiOS 5.2.x unchanged/untouched.

- As a pity the circumstances that the Certificate will be not checked agains CA is still the case and from my point of view a big issue but it is as it is meaning still only validity (date) and CN will be checked nothing else. Hoping that this will come in 5.4.x.

If you like to re-generate the certificate to be unique after a upgrade etc. you can force the regeneration but be aware what happens after meaning if you have the old certificate used on the clients (deep inspection, ssl-vpn etc.) because in such a case you have to roll-out new etc.

       # execute vpn certificate local generate default-ssl-ca

Afterwards you can check the Cert:

       # config vpn certificate local        # edit Fortinet_CA_SSLProxy        # get

From this point of view "IF" you have a unique Cert used on the Clients for deep-inspection, SSL-VPN or for whatever and you change the device for RMA etc. you have to be aware to fully backup the Cert as to import new on the new device in case of to cover the already installed Cert on the Client for exampel deep-inspection etc.  because under 5.2.x the Cert is/can be unique to the device!

Hope this helps also to bring a little bit light in dark

have fun

Andrea

Richard,

I have an identical problem on two different firewall 200D and a 100D and I have identical results

I beleive this is something to do with extended validation SSL certificates, as if I load a standard SSL certificate - all works fine, but I seem to get the "white screen of certificate death" when I try load up an EV certificate and can only get the correct certificate menu back once I have deleted the EV certificate via SSH session

I know when the this EV certificate is loaded, it is not fuctioning, as our SSL offload/load balancing does not fuction when this is loaded

I had to downgrade the firewall from the 5.2.3 back to 5.2.2 and the certificate upload and the EV certificate worked fine

Im still waiting for an explanation to this from Fortigate as I have a ticket open with them in regards to this.

See below for Fortinet's reply....  Sh!t

"Dear Customer, Thank you for contacting Fortinet Technical Support. My name is Mladen and I will be assisting you with this case. You said when you formatted the device you were able to see the certificate page but when you imported backup config file it broke again. It is because config file was corrupted during firmware upgrade procedure. Please fortmat the unit like you did it before and configure the unit from scratch (do NOT load config file). Please kindly let me know if you need any further assistance."