DescriptionStarting in FortiOS 5.4, the certificate "Fortinet_CA_SSLProxy" was replaced with "Fortinet_CA_SSL".
Note: FortiGates running 5.4 and later may still have that certificate if they have been upgraded from FortiOS 5.2 or before.
As a result, there may be references to "Fortinet_CA_SSLProxy" in policy packages which cause installs to FortiGates running FortiOS 5.4 or later to fail.
Some possible symptoms includes:
1) An error during install:
Local certificate "Fortinet_CA_SSLProxy" not exist in target device
2) FortiManager has an install error and install log shows that FortiGate has Fortinet_CA_SSLProxy but FortiManager does not:
---> generating verification report
(vdom root: firewall ssl-ssh-profile "certificate-inspection":caname)
remote original: "Fortinet_CA_SSLProxy"
to be installed:
SolutionFollow these steps to correct the problem.
Note: The screenshots provided are for FortiManager 5.6 but the principles are the same for FortiManager 5.4 or later.
- Configure the FortiManager to reference
"Fortinet_CA_SSL" instead of "Fortinet_CA_SSLProxy" in SSH/SSL profiles
- Make sure there is a dynamic mapping added pointing to
the certificate on that FortiGate
a) Update Display Options (if the Local Certificates option is not visible in "Policy & Objects")
-Enable
"Local Certificate" under "Dynamic Objects" (Policy & Object >
Object Configuration > Tools > Display options > Local
Certificate)
b) Update the Certificate
-Go to Dynamic
Objects > Local Certificates > select the Fortinet_CA_SSL >
enable Per-Device Mapping > add the FortiGate in question and select
the Local certificate (either Fortinet_CA_SSL or Fortinet_CA_SSLProxy, whichever matches the local FortiGate).