FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
This article describes how to import a CA certificate for SSH/SSL inspection on FortiGates managed by a FortiManager.

Here is a step by step guide on how to add and install a CA certificate on FortiManager.

1. Add the CA certificate and CA private Key under Device manager > CLI only objects > VPN > Certificate > Local.


Once this is done, it will be available for the certificate to be used in SSL/SSH inspections. 

After this step, config status under device manager is changed to modified. Can be ignored as this will be back into synchronized status after following all the steps. If the administrator wishes to just install the certificate for later use, proceed with install device settings . Else proceed to Step 2.

2. Next step would be to create a Dynamic Object mapping under Policy & Objects > Object Configurations > Dynamic Object > Local Certificate > Create new, in the 
per device mapping select the device (to which the CA certificate was imported under device manager) and Certificate and click on OK.


Added certificate under device manager will appear here in the drop down list only if the ADOM version is matching the OS version running on the device. 
For example: FortiGate running v5.4 should be added on ADOM version v5.4 or if there is a mismatch the certificate will not show up in this list.

3. Once this is done, create a New (or edit an existing) SSL/SSH inspection profile selecting the CA certificate which was just created in Step2.


4. Use the SSH/SSL inspection profile in the policy and install it on the FortiGate. This will have the certificate and its references like the SSH/SSL inspection profile and policy in which used the SSL/SSH inspection profile installed on the FortiGate.


5. Below successful installation log can be referenced.

Starting log (Run on device)

Start installing

config vpn certificate local           >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> First step , CA certificate is installed.               
CA certificate is installed.
(local) $ edit "Fmg-cert-test"
new entry 'Fmg-cert-test' added
(Fmg-cert-test) $  set private-key "-----BEGIN RSA PRIVATE KEY-----
(Fmg-cert-test) $  ...
(Fmg-cert-test) $  -----END RSA PRIVATE KEY-----
(Fmg-cert-test) $  "
(Fmg-cert-test) $  set certificate "-----BEGIN CERTIFICATE-----
(Fmg-cert-test) $  ...
(Fmg-cert-test) $  -----END CERTIFICATE-----
(Fmg-cert-test) $  "
(Fmg-cert-test) $  set range global
(Fmg-cert-test) $  next
(local) $  end
(ftps) $  end
(FMG-cert-test-prof) $  config imaps
(imaps) $  set ports 993
(imaps) $  end
(FMG-cert-test-prof) $  config pop3s
(pop3s) $  set ports 995
(pop3s) $  end
(FMG-cert-test-prof) $  config smtps
(smtps) $  set ports 465
(smtps) $  end
(FMG-cert-test-prof) $  config ssh
(ssh) $  set ports 22
(ssh) $  end

(FMG-cert-test-prof) $  set caname "Fmg-cert-test"      >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Certificate which was just installed
(FMG-cert-test-prof) $  next
(ssl-ssh-profile) $  end
$  config firewall policy       >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Finally , ssl/ssh profile is used in the policy.
(policy) $  edit 19
(19) $  set ssl-ssh-profile "FMG-cert-test-prof"
(19) $  next
(policy) $  end

---> generating verification report
<--- done generating verification report

install finished

Related Articles

Technical Note: How to manage Local certificates from FortiManager and use in SSL/SSH inspection pro...