| Solution |
The Certificate Warning can be avoided using the below-mentioned procedure only for the HTTP to HTTPS Redirection Authentication Traffic. For this, you can use the same *.example.com wildcard certificate which you had in your Local Certificate Store. This example follows all the steps required to create and install a local certificate on the FortiGate unit, without using CA software.
To generate a certificate request on the FortiGate unit - web-based manager
1. Go to System > Certificates > Local Certificates.
2. Select Generate.
3. In the Certificate Name field, enter FGT.
Note:-
Do not include spaces in the certificate name. This will ensure the compatibility of a signed certificate as a PKCS12 file to be exported later on if required.
Since the IP address is private, we will use the FQDN instead.
4. Select Domain Name, and enter fgt.example.com.
5. Enter values in the Optional Information area to further identify the FortiGate unit.
Organization Unit - Support
Organization - Example.com
Locality (City) - Bangalore
State/Province - Karnataka
Country - INDIA
E-mail - fgt@example.com
6. From the Key Size list, select 2048 Bit or the most secure option available to you.
7. In the Enrollment Method, select File-Based to generate the certificate request.
8. Select OK.
The request is generated and displayed in the Local Certificates list with a status of PENDING.
9. Select the Download button to download the request to the management computer.
10. In the File Download dialog box, select Save and save the Certificate Signing Request on the local file system of the management computer.
11. Name the file and save it on the local file system of the management computer.
Import the SSL certificate into FortiOS To import the certificate to FortiOS- web-based
manager
1. Go to System > Certificates > Local Certificates.
2. Select Import > Local Certificate and choose the certificate file.
3. Select OK.
On PC Browser
Add the CA certificate to the browser.
When you access Fortigate using HTTPS with a domain name (https://fgt.example.com), the users will get the login prompt without a certificate error.
You can avoid the Certificate Warning using the below-mentioned procedure only for the HTTP to HTTPS Redirection Authentication Traffic. For this, you can use the same *.example.com wildcard certificate which you had in your Local Certificate Store.
When identity-based authentication is enabled, when users accesses HTTPS sites, Fortigate will redirect to https://fgt.example.com:1003 without Certificate Warning.
|
