Created on
05-01-2019
12:15 PM
Edited on
07-30-2025
05:31 AM
By
Anthony_E
Description
Scope
Solution
config log fortianalyzer setting
set server-cert-ca <CA Certificate> For ex: CA_Cert_1---> The same CA certificate that signed the FortiAnalyzer certificate
end
Signing the Certificate with an external CA:
The CSR needs to be signed with either the public CA or the private CA to generate the certificate. In this demo, FortiAuthenticator is used as the CA server:
In FortiAnalyzer, import the signed certificate:
The certificate status will change from Pending to OK once the certificate is uploaded correctly:
CLI Method to upload a new Custom Certificate:
Note:
Password is not required if the key is not encrypted:
Once the certificate has been imported, configure the use of the local certificate in the CLI and restart the OFTP daemon:
diagnose test application oftpd 99
exec log fortianalyzer test-connectivity
Alternative FortiAnalyzer configuration:
This alternative method explains how to use any previously imported Local Certificate for OFTP. Use the following CLI commands to change the certificate used on the OFTP port TCP/514:
config system certificate oftp
set mode local
set local "<LOCAL_CETRIFICATE_NAME>"
end
Note:
This option is often used to replace the embedded SHA1 certificate of the older FortiAnalyzer hardware platforms (for example, E-series), where the BIOS certificate is SHA1, but there is also a firmware updated SHA256 default local certificate, named 'Fortinet_Local'.
This certificate also contains the unit serial number in the CN field, which allows the FortiAnalyzer certificate verification to remain enabled on the FortiGate.
After changing this configuration, restart the 'oftpd' process for the changes to take effect:
diagnose test application oftpd 99
Or reboot the FortiAnalyzer.
Related documents:
Technical Tip: How to upload and set local certificate to be used in FortiManager/FortiAnalyzer
Technical Tip: Setup custom certificate for FGFM protocol
Technical Tip: Different application of local certificate for FortiManager/FortiAnalyzer
Technical Tip: How to configure FortiManager to use custom certificate for HA communication
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.