This article describes the case when FortiAuthenticator is not using the newly installed certificate over the old certificate.
In FortiAuthenticator, the certificate is been used for different certificate-related operations. When the old certificate is expired or revoked, it is necessary to install the fresh certificate and the FortiAuthenticator should use the new certificate. But there are some cases the old certificate is been still used even though the new certificate has been installed.
Scope
FortiAuthenticator.
Solution
In such cases described above, it is necessary to manually remove the old certificate from the FortiAuthenticator.
But when trying to do this the system does not allow us to remove the old certificate as it is been used in different places.
Unlike in FortiGate where it is possible to see the references, it is not possible to find references in FortiAuthenticator .
Hence it is necessary to remove the old certificate from the places it has been used. Below are some locations where it is used:
- SSL/TLS Communication.
- Web Admin Interface.
- Certificate Management.
- Certificate-Based Authentication.
- PKI Certificate Authority.
- OCSP and CRL Verification.
- LDAP over SSL (LDAPS).
- LDAP Server Verification.
- Syslog over TLS.
- Secure Logging.
- REST API.
- API Client Verification.
- Fortinet SSO > Methods > Windows Event Logs.
There can be more places where the certificates are used based on the services used, make sure to remove them.