This guide shows how to renewal all expired certificates embedded in the hardware at the factory of Fortigate Firewall.
If you have this scenario
you can simply run this script on FortiGate CLI:
execute vpn certificate local generate default-ssl-key-certs
All expired certificates having postfix "_DSA", "_ECDSA" and "_RSA" placed on Local Certificate, they will be renewal.