Description
Starting FortiOS version 7.0.2, the certificate wizard helps to generate local certificates using the self-signed Fortinet_CA_SSL CA certificate.
Scope
This helps to fix the certificate errors for HTTPS or GUI access to FortiGate or for the SSL-VPN portal.
Note.
FortiGate can generate a certificate using our self-signed CA: Fortinet_CA_SSL.
Using a server certificate from a trusted CA is strongly recommended.
Solution
Below are the steps to generate the certificate and call it under system settings for HTTPS setting:
Go to: System -> Certificates -> Create/Import -> Certificate.
Under the 'Generate New Certificate' and select 'Generate Certificate'.
Certificate authority: Fortinet_CA_SSL (pre-populated)
Certtificate name : mycert (can be of your choice)
Common name : 10.40.19.77 (The common name should match the FQDN or IP of the interface)
SAN : 10.40.19.77
To avoid certificate warnings on the end user machine, must download Fortinet_CA_SSL CA certificate and install it on end user machine.
Select 'Create', then it will be possible to find the certificate 'mycert' under the 'local certificate'.
It is possible to call this cert 'mycert' under System -> Settings -> Administration Settings -> HTTPS server certificate.
And download the Fortinet_CA_SSL CA certificate and install it on the user machine’s certificate store and browser as Trusted Root CA.
Now if the user tries to access the Fortigate, 'Not secure' certificate error should not appear.
