Help
FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
arleniscg
Staff
Staff

Created on ‎08-10-2023 07:10 AM

Article Id 268179

Technical Tip: Adding new SSL certificate to EMS Server and errors on the process

Description This article describes how to import a new SSL certificate on EMS Server on-Premise and how to solve the errors in the process.
Scope FortiClient.
Solution

It is possible to import a new SSL certificate on the EMS server in 2 ways.

 

Method 1

 

Take a snapshot and a Backup of the EMS server (in case of a rollback, it is necessary):

 

Capture1.PNG

 

Capture2.PNG

 

Option 1: On the GUI.

  1. Convert the CRT file to PEM:

openssl x509 -in cert.crt -out cert.pem

 

  1. Combine the PEM and KEY files into the PFX file:

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt

 

  1. Generate a password here.
  2. Add PFX and password to EMS:

Capture11.PNG

  

  1. Access EMS server with new SSL certificate imported.

Capture12.PNG

 

After performing this process, an error may appear featuring a URL similar to https://localhost:port/ with error ERR_CONNECTION_REFUSED (-102):

 

Capture3.PNG

 

  1. Validate the FortiClient Endpoint Management Server Apache Service is running.

 

Capture4.PNG

 

Capture5.PNG

 

  1. If it is not running, try to start or restart the Service.

 

Capture6.PNG

 

  1. If error code 1 shows afterwards...

 

Capture7.PNG

 

... Remove the IIS service, then restart the services through the command line as shown below and try the access to EMS server. 

 

Capture8.PNG

 

Capture9.PNG

 

Capture10.PNG

 

 

Option 2: Directly modify the paths of the ssl.crt and ssl.key. It will be required to separate the certificate and key. (OpenSSL can be used to extract the key and certificate.)

 

For the key:

 

openssl pkcs12 -in certfile.pfx -nocerts -nodes -out key.pem

 

For the certificate:

 

openssl pkcs12 -in certfile.pfx -clcerts -nokeys -out cert.pem

 

Replace the SSL certificate key file and SSL certificate file. Below is how the setup looks before the modification.

 

Capture13.PNG

 

  1. Replace the SSL certificate key file (go to C:\Program Files (x86)\Fortinet\FortiClientEMS\Apache24\conf\ssl.key\) and copy server.key to server.key.old.
  2. Replace the SSL certificate file (go to C:\Program Files (x86)\Fortinet\FortiClientEMS\Apache24\conf\ssl.crt\) and copy server.crt to server.crt.old.
  3. Modify accordingly to point to the new cert and key (C:\Program Files (x86)\Fortinet\FortiClientEMS\Apache24\conf\apache_django_wsgi.conf).
  4. Reboot the EMS server.
  5. Access the EMS server with the new SSL certificate imported.
2545
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.