Description
This article describes how to import local CA certificates for SSL/SSH inspection profiles via FortiManager by creating and mapping a new Dynamic Local Certificate object.
Scope
FortiManager v7.4 and v7.6.
Solution
- Go to Policy & Objects -> Advanced -> Dynamic Local Certificates and select 'Create New'.
- In the menu, Create New Dynamic Local Certificate, type a name
- Expand the Per-Device Mapping table and select 'Create New"
- In the Per-Device Mapping menu, select the FortiGate where the certificate should be imported
- Leave the Local Certificate field blank, and select 'Import'.
- Import the certificate as either a .p12 file (PKCS#12) or as separate certificate and key files (Certificate). Since this is a local CA, both public and private keys are required to allow this CA to sign the temporary inspection certificates. In this example, a PKCS#12 file is used:
Note:
The certificate was only imported into the respective Device Database, but is not yet installed on the real FortiGate.
- Back in the Per-Device Mapping menu, under Local Certificate, select the certificate created in step 6, then select the OK button.
- Back in the Create New Dynamic Local Certificate menu, confirm that the mapping was created and select OK to save the object.
Note:
Since these certificates are individual for each FortiGate, separate import and per-device mapping would be needed for multiple managed FortiGates.
- Use this new Dynamic Certificate in an SSL/SSH Inspection Profile and install it to the managed FortiGate(s) as required.
