Description
This article describes how to import a CA certificate for SSH/SSL inspection on FortiGates managed by a FortiManager.
Scope
FortiManager.
Solution
The following is a step-by-step guide on how to add and install a CA certificate on FortiManager.
- Add the CA certificate and CA private Key.
Navigate to Device manager -> CLI only objects -> VPN -> Certificate -> Local.
Once this is done, it will be available for the certificate to be used in SSL/SSH inspections.
After this step, the config status under device manager is changed to modified. This can be ignored as it will return to the 'synchronized' status after following all of the steps in this article. If the administrator wishes to just install the certificate for later use, proceed with install device settings, or else proceed to Step 2.
- Next, create a Dynamic Object mapping.
Navigate to Policy & Objects -> Object Configurations -> Dynamic Object -> Local Certificate -> Create new.
In the per-device mapping, select the device (to which the CA certificate was imported under device manager) and Certificate, then select OK.
The certificate added under the device manager will appear here in the drop-down list only if the ADOM version matches the OS version running on the device.
For example: FortiGate running v5.4 should be added on ADOM version v5.4. Or, if there is a mismatch, the certificate will not show up in this list.
- Once this is done, create a New (or edit an existing) SSL/SSH inspection profile selecting the CA certificate that was just created in Step 2.
- Use the SSH/SSL inspection profile in the policy and install it on the FortiGate.
This will ensure the installation of the certificate and its references like the SSH/SSL inspection profile and policy in the SSL/SSH inspection profile on the FortiGate.
- Note the following installation log information:
Starting log (Run on device):
Start installing:
config vpn certificate local <----- The first step: the CA certificate is installed.
The CA certificate is installed.
(local) $ edit "Fmg-cert-test"
new entry 'Fmg-cert-test' added
(Fmg-cert-test) $ set private-key "-----BEGIN RSA PRIVATE KEY-----
(Fmg-cert-test) $ ...
(Fmg-cert-test) $ -----END RSA PRIVATE KEY-----
(Fmg-cert-test) $ "
(Fmg-cert-test) $ set certificate "-----BEGIN CERTIFICATE-----
(Fmg-cert-test) $ ...
(Fmg-cert-test) $ -----END CERTIFICATE-----
(Fmg-cert-test) $ "
(Fmg-cert-test) $ set range global
(Fmg-cert-test) $ next
(local) $ end
(ftps) $ end
(FMG-cert-test-prof) $ config imaps
(imaps) $ set ports 993
(imaps) $ end
(FMG-cert-test-prof) $ config pop3s
(pop3s) $ set ports 995
(pop3s) $ end
(FMG-cert-test-prof) $ config smtps
(smtps) $ set ports 465
(smtps) $ end
(FMG-cert-test-prof) $ config ssh
(ssh) $ set ports 22
(ssh) $ end
(FMG-cert-test-prof) $ set caname "Fmg-cert-test" <----- Certificate which was just installed.
(FMG-cert-test-prof) $ next
(ssl-ssh-profile) $ end
$ config firewall policy <----- Finally , ssl/ssh profile is used in the policy.
(policy) $ edit 19
(19) $ set ssl-ssh-profile "FMG-cert-test-prof"
(19) $ next
(policy) $ end
---> generating verification report
<--- done generating verification report
install finished
Related article:
