Technical Tip: Configure SSL certificate for the FortiManager/FortiAnalyzer admin GUI
Description
This article shows how to import a certificate and private key by using CLI, and to configure it in the FortiManager GUI.
Scope
FortiAnalyzer.
Solution
Use the following CLI commands to import the certificate and private key:
config system certificate local
edit <certificate name>
set private-key "<key>"
set certificate "<certificate>"
next
end
edit <certificate name>
set private-key "<key>"
set certificate "<certificate>"
next
end
Example:
config system certificate local
edit "EXAMPLE2"
set private-key "-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIB0TCCATqgAwIBAgIIJk2JxB7189gwDQYJKoZIhvcNAQEFBQAwKzERMA8GA1UE
AwwIRm9ydGluZXQxFjAUBgNVBAoMDUZvcnRpbmV0IEx0ZC4wHhcNMTQxMDI5MTI0
MzI4WhcNMjQxMDI2MTI0MzI4WjArMREwDwYDVQQDDAhGb3J0aW5ldDEWMBQGA1UE
CgwNRm9ydGluZXQgTHRkLjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA40Jv
LhccTksm1ztodEHpYGhx08DFWq2eeFYhhEFgAgGkUapC+RC/JQNPvNJijt9zIsFE
xRHnrjqfFI6LeJJXJJNpBVFgJo5O5Zm8YjVsuTdU0W0Inw9/U/Nwj5Zeza/s3fUj
JLEG08DdQf0Pl18XYsfeDwMciyqtM/kFpISZyvcCAwEAATANBgkqhkiG9w0BAQUF
AAOBgQAdGyRDObO6ktAbUnUuORDKgLX1EWhuW6q9kay+jykZabLlb/YS3p1Mj4jn
7Blqa+G2XjXG5MmJqYr54TFOBVOSqZekrgOsBl5CAVwpSSd28w6cfisdKQjPzCbb
Qzl87DSJXIgShag+2iwE2+LIAAZtTnwReuc4KRHvAkxp89hC7g==
-----END ENCRYPTED PRIVATE KEY-----"
set certificate "-----BEGIN CERTIFICATE-----
MIIDwDCCAqigAwIBAgIBEjANBgkqhkiG9w0BAQUFADCBoDELMAkGA1UEBhMCVVMx
EzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTERMA8GA1UE
ChMIRm9ydGluZXQxHjAcBgNVBAsTFUNlcnRpZmljYXRlIEF1dGhvcml0eTEQMA4G
A1UEAxMHc3VwcG9ydDEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmb3J0aW5ldC5j
b20wHhcNMTAxMTE4MjI0MDU2WhcNMzgwMTE5MDMxNDA3WjCBljELMAkGA1UEBhMC
AaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0BAQUFAAOCAQEABwelWXWoxorM53jd
LM6WM3f9giz8r0s9NWQGHJtHbmczeu2dOVbDJ70UvJFIWrGcl0OLS21Z1ZjUsrVF
uOW1R7iInscbpygF5ON7Bfqm8yrbS7CmDaNnxwO+uKJVE973bbai+QMBhGVRa/qN
0O+d5gncEsJsRGRpiSV/FOgnuj+K34sjt3KWnl9nzwsWsriimVrWVuUdRNBzH3oN
/TQB3iVqO7r9//m21Xs/iDc4g843M+tyb+qzXMugQpqTCpJyu5h6ddOxk2aKqbtT
3dywc0hhvzZAXYeJbzkaDwWkpNUkbpyNmstTdq1eV9bpffpuJq+gflCeWWeaC/eY
JfhexQ==
-----END CERTIFICATE-----"
next
end
Once the certificate is configured in CLI, the user will be able to use the certificate for the admin GUI.
For v7.2.x and below, go to System Settings -> Admin -> Admin Settings and select the certificate name from the drop-down list.
From CLI the command should be :
config system admin setting
(setting)# show
config system admin setting
set admin_server_cert "fmg_global_cshare_net"
end
(setting)# set admin_server_cert ?
server.crt
fmg_global_cshare_net
Fortinet_Local2
Fortinet_Local
If the user is using the certificate for HTTPS for FQDN, log in using the IP Address. Then upload the custom certificate from the System Setting -> Certificates -> Upload -> Local Certificate.
If the error 'Importing local certificate failed. It might already exist.' is thrown, choose PKCS #12 Ceritifcates.
From v7.4.x and onward, go to System Settings -> Settings and select the certificate name from the drop-down list.
