Technical Tip: Install FortiGate's CA SSLProxy Certificate on user's PC from FortiClient EMS
Description
This article shows how to automatically distribute FortiGate's SSL CA Certificate via FortiClient EMS. The preventiom of the "Security Certificate error" or "Connection is untrusted" messages when accessing the Internet generally requires the manual import of the FortiGate's SSL CA Proxy Certificate on the PC.
Scope
FortiClient Enterprise Management System
FortiClient 5.4.1 - 5.6.6
FortiOS 5.41- 6.x
Solution
Import Certificate to EMS
This article shows how to automatically distribute FortiGate's SSL CA Certificate via FortiClient EMS. The preventiom of the "Security Certificate error" or "Connection is untrusted" messages when accessing the Internet generally requires the manual import of the FortiGate's SSL CA Proxy Certificate on the PC.
Scope
FortiClient Enterprise Management System
FortiClient 5.4.1 - 5.6.6
FortiOS 5.41- 6.x
Solution
Import Certificate to EMS
On FortiGate
Verify that the FortiGate's "Fortinet_CA_SSLProxy" Certificate is displayed under System\Certificates\Local CA Certificates.
On EMS
Go to Administration\CA Certificate Management.
Click "Import"..
1) In the pop-up window, add the following:
2) IP address/Hostname
3) VDOM
4) Username5) Password6)
7) Click on "Import"
Add Certificate to User's Profile
Go to Endpoint Profiles\Manage Profiles
1) Select and Edit Profile.
2) Select the System Settings Tab.
3) Scroll down to the "Other" Section.
4) Enable "Install CA Certificate on Client".
5) A listing of the CA imported Certificate is listed.
6) Select the Certificate to push to the Endpoint.
7)
8) Click "Save".
The "Fortinet_CA_SSLProxy" Certificate will be downloaded by the FortiClient Endpoint in its next keep-alive cycle. (Usually every 60 seconds)
Verify Certificate installation
1) Start\Run -> enter "mmc"
2) Click File\Add/Remove Snap-in...
3) In the add "Add or Remove Snap-ins" window, select Certificates.
4) Click "Add".
5) Select "My user account".
6) Click "Finish".
7) Click "OK". (You will see it opens "Certificates - Current User")
8) Expand "Trusted Root Certification Authorities".
9) Click "Certificates".
10) Locate the the Certificate with the FortiGate's Serial Number in the list.11)12)
References
Further information on stopping the "Connection is untrusted" message are available here.
Further information is available in the FortiClient EMS Administration Guide which can be found here.
Further information about avoiding certificate warning messages in SSL inspection are available here.