is there a way to pass own CA/root certificate to fortigate for DPI?

Forum|Forum|3 years ago
December 27, 2022
2 replies
1912 views

...per default there's the built in root CA certificate on the fortigate which is used for DPI, but can you issue your own root CA certificate for the fortigate using an internal PKI? Haven't found any articles or options in the GUI to do that...

Thanks!

FortiGate

mzainuddinahm

Staff & Editor

Hello drenigoln,

Yes, you can use your own certificate- but it needs to be a CA (Certificate Authority) certificate (ie one that is capable of signing another certificate). The CA certificate is used to resign the certificates end users see.

If you have a look at the Fortinet_CA_SSL cert details you will see it has "CA:TRUE". That's what you need for your own certificate.

KB: https://docs.fortinet.com/document/fortigate/5.6.0/cookbook/530183/getting-the-certificate-signed-by-a-ca

https://docs.fortinet.com/document/fortigate/5.6.0/cookbook/645186/generating-a-csr-on-a-fortigate

Best Regards,

Mohammed Ahmed

sw2090

SuperUser

in addition to Mohammed,

there is even two ways to do that:

you can either create a Cerificate Request (CSR) in FGT gui and then sign that with your own CA or you can import a certificate chain (including the private key) as a whole.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded