EMS ZTNA Certificate

Forum|Forum|7 months ago
October 27, 2025
1 reply
676 views

Hi,

I have new deployment project for ZNTA.

We have a Local CA. we have generated a CSR from FortiGate and signed it by a local CA to be imported in FortiGate. and for EMS I would like to know what should do for the certificate, as there is no CSR option. Should I only import local CA Root Certificate to EMS server?

Kindly need help to understand the certificate required for EMS within local CA and FortiGate.

Best answer by AEK

Yes it should be done before integrating FGT with EMS. This is for good practice integration.

Nevertheless if I remember well (but I'm not sure) there is a command (CLI) on FGT to force accept EMS cert even if it is not trusted, but as you may think this is not recommended for security.

AEK

SuperUser

Hi Saleem

Under Settings > EMS Server Certificates, you upload certificate (with private key) for both EMS Web server and Endpoint Control. The EMS cert you generate it with its private key on your CA. I usually set its CN to the EMS FQDN, and SAN to EMS IP address (only if needed).

Under Endpoint Policy > CA Certificates, you upload your CA certificate of your Local CA.

Upload the CA certificate on FGT as well so it will trust EMS cert.

AEK

osaleem2_10Author

Explorer III

Thanks for your reply.

So, If I have Local CA, I have to generate the Root Cert with Private key to EMS.

Just a note, is it mandatory to make this step before integrating with EMS with FortiGate? As i tried to do that, but got an error on FortiGate that EMS cert is not recognized.

thanks.

AEKAnswer

SuperUser

Yes it should be done before integrating FGT with EMS. This is for good practice integration.

Nevertheless if I remember well (but I'm not sure) there is a command (CLI) on FGT to force accept EMS cert even if it is not trusted, but as you may think this is not recommended for security.

AEK

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded