Hot!Generating new Fortinet_CA_SSL certificate

New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/10/10 05:05:17
  • Status: offline
2019/10/10 05:11:10 (permalink)

Generating new Fortinet_CA_SSL certificate

So I have a problem.  When we deployed several 60E devices, we worked with Fortinet to create a "golden config."  It allowed us to put a basic config on a USB stick, only changing certain variables such as hostname, IP address, gateway IP, VLAN info, etc for each one before installing it using the USB boot install.
The problem is, when they downloaded that first config for us from the first device we deployed, they didn't flag the Fortinet_CA_SSL certificate as one of the variables that needed to change with each one.  So every 60E now has the same default SSL cert that the first 60E ployed has - so all of them are identical.  Instead of each SSL cert showing the serial of that unique device, they have the serial of the first 60E.
So my question is, is there a way to regenerate that certificate or generate a new one so that each 60E has it's own unique default SSL certificate again?
Expert Member
  • Total Posts : 6186
  • Scores: 510
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: Generating new Fortinet_CA_SSL certificate 2019/10/10 11:11:58 (permalink)
Happened to me as well, oh my.
One fix:
- get the config
- delete the blocks "config vpn cert" and "config firewall ssl"
- restore this
I haven't tried this on a 'botched' FGT but I've used this procedure when cloning.
Second fix:
   exec vpn certificate local generate default?
for ssl-ca, ssl-ca-untrusted, ssl-key-certs or ssl-serv-key.
Again, lacking a msiconfigured cloned FGT atm, haven't tried it out.
If you do, please post your findings.


" Kernel panic: Aiee, killing interrupt handler!"
Jump to:
© 2020 APG vNext Commercial Version 5.5