Skip to main content
Antoine
Antoine
New Member
November 3, 2020
Question

Subordinate CA certificate showed within local (end-entity), not within Fortinet CA certs

  • November 3, 2020
  • 1 reply
  • 5579 views

I have created a new certificate request for local certificates (using the GUI), using ECDSA p256 cryptographic parameters.

Then I signed it at my root CA with a template of subordinate CA (basic constraint cA:TRUE); and I imported the signed certificate back into the FG. Of course the certificate of the root CA is itself trusted by the FG.

However, the new certificate does not appear in the GUI along the "local CA certificates" as I would expect, rather along the other "certificates." Is it correct? or is it a simple GUI bug?

 

I do know that at the CLI level all those certificates are handled jointly, so I do not believe this could have a functional impact. Also I am able to correctly select the new (sub) CA for deep inspection, and it works flawlessly.

1 reply

boneyard
boneyard
Valued Contributor
November 20, 2020

which version, in 6.2 i have the sub CA listed under: Remote CA Certificate

Antoine
AntoineAuthor
New Member
November 23, 2020

As I marked as a tag, I was seeing that on 6.0 (actually 6.0.11). However it seems to me the same thing is occurring on 6.2.5 as well: the sub-CA certificate which the device has the key for appears as "Local certificate".

 

Did you generate the private key for the subordinate CA on your device (as opposed to importing the Sub-CA certificate, along with its key, into the Fortigate)?

 

Also, I agree Sub-CA certificates for which the device does NOT have the private key would appear as "Remote CA"/"External CA" certificates, as one can expect (which is what confuses me, done for ones but not others.)

boneyard
boneyard
Valued Contributor
February 7, 2021

yeah, sorry didnt notice the tag.

 

did some testing around this and you can make the argument it works ok, but you can also say it doesnt.

 

if you load a certificate with key it ends up at local.

 

if it is a the root CA it shows up at local CAs, if it is an intermediate / subordinate CA it ends up at certificates. doesnt seem to matter if a local key or imported key is used.

 

contact your Fortinet sales contact and request the sub CA category in the GUI

 

 

Terms & ConditionsAccessibility statement