Description
This article describes how to import local certificates under FortiManager. Local certificates can be created and CA certificates can be imported but there is no option to import local certificates under FortiManager. To create a local certificate please refer to this cookbook.
Scope
FortiManager.
Solution
- Import the local certificate onto the FortiGate directly then go to System -> Certificates. Select Import and select the certificate and select 'OK'. This will cause the FortiGate and FortiManager to go out of synchronization.
- To get it back into sync retrieve the running config of the FortiGate after having the local certificate imported onto the FortiGate. Now manually retrieve the config, go to System -> select the device -> Dashboard -> Configuration and Installation Status -> Revision History (icon on the right of Total Revisions). Select 'Retrieve Config'. This would retrieve the running config on the FortiGate after which the status should show as synchronised.
- Create a Dynamic object & mapping, with a name under Policy & Object -> Object Configuration -> Dynamic Objects -> Local Certificates. When creating a Dynamic mapping it is important to select the correct device on which the certificate. If the local certificate does not show up on the GUI, go to Tools -> Display Options -> Check all and select 'OK'.
- Under Object Configurations -> Security profiles -> SSL/SSH Inspection, edit SSL/SSH profile under SSL inspection options -> CA certificate, select the created certificate. Once added select 'OK'.
- Once the above steps have been completed, use the same SSL/SSH inspection profile and push it to the FortiGates to see the Local certificate imported.
Related article:
Technical Tip: How to upload and set local certificate to be used in FortiManager/FortiAnalyzer
