FortiManager VPN Certificate
Issue
FortiManager, when it’s new - I think, will sometimes try to push a certificate to FortiGate devices.
The error message in FortiManager is spread across four lines, they are:
“Input is not a valid CA certificate.”
“The field ca is empty!”
“node_check_object fail! for ca”
“Attribute ‘ca’ MUST be set.”
I’ve run into this in my lab, and I’m pretty sure I saw this in a production FortiManager.
I found this issue discussed on the Fortinet forums, but I didn’t find the solution there.
Solution
The solution that I used to fix this in my lab was to remove the certificate entries from the CLI configs.
It is located in two places - probably…
First - we can remove the certificate from the Policy configuration, this may be all that is needed to resolve the issue.
Under Policy and Objects, select the Object Configuration screen. Go to the CLI Only Objects.
Expand vpn, expand certificate, select ca.
Select and Delete the certificate that is causing the issue.
Second - if required, you can remove the certificate from each device’s configuration.
On the Device Manager screen, under CLI Configurations.
Expand: vpn, certificate, ca.
Select and Delete the certificate that is causing the issue.
NOTE: By default, FortiManager will not show you CLI Only Objects or CLI Configurations.
If you don’t see them then you will need to modify the Display Options.
In Policy and Objects, click on Tools, Display Options.
At the very bottom of the list, you should see CLI Only Objects. Check the box and click OK.
In Device Manager, click on Tools, Global Display Options.
At the very bottom, again, you should see CLI Configurations. Check the box and click OK.