Description
This article explains how to configure FortiAnalyzer to use an alternate server certificate for OFTP communication with a FortiGate.
By default FortiAnalyzer uses the local certificate issued by Fortinet CA called "Fortinet_Local".
Scope
The CA certificate used to generate the server certificate needs to be imported to all managed FortiGates so that it can validate the certificate presented by the FortiAnalyzer.
Both server certificate and private key in PEM format need to be imported to the FortiAnalyzer.
Solution
To change the server certificate used for OFTP:
- import the CA certificate to all managed FortiGates.
- import the server certificate and private key in PEM format to the FortiAnalyzer.
FortiGate side configuration:
Import CA certificate to all managed FortiGates: Figure below shows how to do this via GUI interface.
FortiAnalyzer side configuration:
Configure certificate for OFTP:
config system certificate oftp
set custom enable
set certificate " --" ---->> PEM format certificate.
set set private-key " -- " ---->> PEM format private key.
set set private-key " -- " ---->> PEM format private key.
password <> ---->> Password for encrypted 'private-key', unset for non-encrypted.
end
end
Note: Password is not required if key is not encrypted:
- Once the configuration is done, FortiAnalyzer will restart the OFTP communication with FortiGates.
- The hostname of the certificate should be the serial # of the FortiAnalyzer
Figure below is a sample of CSR:
Signing the Certificate with an external CA:
The CSR needs to be signed with either the public CA or the private CA to generate the certificate. In this demo, FortiAuthenticator is used as the CA server:
After signing the CSR, export and download the certificate generated:
In FortiAnalyzer, import the signed certificate:
The certificate status will change from Pending to OK once the certificate is uploaded correctly:
Once the certificate has been imported, configure the use of the local certificate in the CLI and restart the OFTP daemon:
config system certificate oftp
set mode local
set local "FAZ_SSL"
end
set mode local
set local "FAZ_SSL"
end
diag test app oftpd 99
In FortiGate, import the CA certificate if a private CA was used. In this case, the FortiAuthenticator CA certificate used to sign the CSR is imported:
Validate the connection status in the FortiGate:
To perform verification in the FortiGate CLI, run the following command:
exec log fortianalyzer test-connectivity
Alternative FortiAnalyzer configuration:
This alternative method explains how to use any previously imported Local Certificate for OFTP. Use the following CLI commands to change the certificate used on OFTP port TCP/514:
config system certificate oftp
set mode local
set local "<LOCAL_CETRIFICATE_NAME>"
end
Note:
This option is often used to replace the embedded SHA1 certificate of the older FortiAnalyzer hardware platforms (for example E-series), where the BIOS certificate is SHA1, but there is also a firmware updated SHA256 default local certificate, named 'Fortinet_Local'.
This certificate also contains the unit serial number in the CN field, which allows the FortiAnalyzer certificate verification to remain enabled on the FortiGate.
After changing this configuration, restart the 'oftpd' process for the changes to take effect:
diag test application oftpd 99
(Or reboot the FortiAnalyzer).
