Technical Tip: How to Import Local CA Certificates for SSL/SSH inspection profiles via FortiManager

Description

This article describes how to import local CA certificates for SSL/SSH inspection profiles via FortiManager by creating and mapping a new Dynamic Local Certificate object.

Scope

FortiManager v7.4 and v7.6. 

Solution

1. Go to Policy & Objects -> Advanced -> Dynamic Local Certificates and select 'Create New'.
   
    

   

    

2. In the menu, Create New Dynamic Local Certificate, type a name
3. Expand the Per-Device Mapping table and select 'Create New"
   
   

    

4. In the Per-Device Mapping menu, select the FortiGate where the certificate should be imported
5. Leave the Local Certificate field blank, and select 'Import'.
   
   

6. Import the certificate as either a .p12 file (PKCS#12) or as separate certificate and key files (Certificate). Since this is a local CA, both public and private keys are required to allow this CA to sign the temporary inspection certificates. In this example, a PKCS#12 file is used:
   
   

    

Note:

The certificate was only imported into the respective Device Database, but is not yet installed on the real FortiGate. 

7. Back in the Per-Device Mapping menu, under Local Certificate, select the certificate created in step 6, then select the OK button.
   
   

8. Back in the Create New Dynamic Local Certificate menu, confirm that the mapping was created and select OK to save the object.
   
   

Note:

Since these certificates are individual for each FortiGate, separate import and per-device mapping would be needed for multiple managed FortiGates.

9. Use this new Dynamic Certificate in an SSL/SSH Inspection Profile and install it to the managed FortiGate(s) as required.