Fortinet black logo

Administration Guide

Regenerate default certificates

Regenerate default certificates

The FortiGate includes default certificates that are generated the first time that the FortiGate is booted up. In some circumstances, it can be necessary to regenerate these certificates, such as when they are nearing expiry, or if the key becomes compromised.

To regenerate default certificates:
# execute vpn certificate local generate default-gui-mgmt-cert
# execute vpn certificate local generate default-ssl-ca
# execute vpn certificate local generate default-ssl-ca-untrusted
# execute vpn certificate local generate default-ssl-key-certs  
# execute vpn certificate local generate default-ssl-serv-key

default-gui-mgmt-cert

Regenerate the default GUI management admin-server (Fortinet_GUI_Server) certificate.

default-ssl-ca

Regenerate the default CA certificate (Fortinet_CA_SSL) used by SSL Inspection.

default-ssl-ca-untrusted

Regenerate the default untrusted CA certificate (Fortinet_CA_Untrusted) used by SSL Inspection.

default-ssl-key-certs

Regenerate the default RSA, DSA, ECDSA, and EdDSA key certificates for SSL resign:

  • Fortinet_SSL_DSA1024
  • Fortinet_SSL_DSA2048
  • Fortinet_SSL_ECDSA256
  • Fortinet_SSL_ECDSA384
  • Fortinet_SSL_ECDSA521
  • Fortinet_SSL_ED448
  • Fortinet_SSL_ED25519
  • Fortinet_SSL_RSA1024
  • Fortinet_SSL_RSA2048
  • Fortinet_SSL_RSA4096

default-ssl-serv-key

Regenerate the default server key (Fortinet_SSL) used by SSL Inspection.

Regenerate default certificates

The FortiGate includes default certificates that are generated the first time that the FortiGate is booted up. In some circumstances, it can be necessary to regenerate these certificates, such as when they are nearing expiry, or if the key becomes compromised.

To regenerate default certificates:
# execute vpn certificate local generate default-gui-mgmt-cert
# execute vpn certificate local generate default-ssl-ca
# execute vpn certificate local generate default-ssl-ca-untrusted
# execute vpn certificate local generate default-ssl-key-certs  
# execute vpn certificate local generate default-ssl-serv-key

default-gui-mgmt-cert

Regenerate the default GUI management admin-server (Fortinet_GUI_Server) certificate.

default-ssl-ca

Regenerate the default CA certificate (Fortinet_CA_SSL) used by SSL Inspection.

default-ssl-ca-untrusted

Regenerate the default untrusted CA certificate (Fortinet_CA_Untrusted) used by SSL Inspection.

default-ssl-key-certs

Regenerate the default RSA, DSA, ECDSA, and EdDSA key certificates for SSL resign:

  • Fortinet_SSL_DSA1024
  • Fortinet_SSL_DSA2048
  • Fortinet_SSL_ECDSA256
  • Fortinet_SSL_ECDSA384
  • Fortinet_SSL_ECDSA521
  • Fortinet_SSL_ED448
  • Fortinet_SSL_ED25519
  • Fortinet_SSL_RSA1024
  • Fortinet_SSL_RSA2048
  • Fortinet_SSL_RSA4096

default-ssl-serv-key

Regenerate the default server key (Fortinet_SSL) used by SSL Inspection.