Help
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
bksol92
Staff
Staff

Created on ‎06-30-2024 07:25 AM Edited on ‎03-04-2025 06:35 AM By Moderator

Article Id 323212

Technical Tip: How to configure intermediate certificates to be used in FGFM protocol

Description This article describes how to configure intermediate certificates to be used in FGFM protocol.
Scope All supported versions of FortiManager and FortiGate.
Solution

FortiManager allows the use of an intermediate certificate during the establishment of an FGFM tunnel between itself and a FortiGate device:

 

  1. Install local certificates on both FortiManager and FortiGate, and intermediate and root CA certificates so that both sides can verify each other's local certificates. 

Local certificate, intermediate and root CA certificates have been imported in FortiManager.Local certificate, intermediate and root CA certificates have been imported in FortiManager.

 Local certificate, intermediate and root CA certificates have been imported in FortiGate.Local certificate, intermediate and root CA certificates have been imported in FortiGate.

 

  1. Make the necessary configurations on FortiManager and FortiGate CLI so that the correct certificates are used during the FGFM communication.

    On FortiManager:


config system global

set fgfm-local-cert <local FMG cert>

set fgfm-ca-cert <intermediate cert>

end

 

On FortiGate:

 

config system central-management

set local-cert <local FGT cert>

set ca-cert <intermediate cert>

end

 

As FGFM communication can be initiated from either side (FortiGate or FortiManager), it is usually advisable to install the root CA cert on both sides. Both sides will first validate the intermediate CA certificate that was used to sign the local certificate by searching for the root CA certificate that was used to sign the intermediate CA certificate.

 

The following FortiGate debug shows how the process is initialized:

 

FGFMs: Installed local cert /etc/cert/local/root_fgt_cert.cer, subject: /C=MY/O=pengy_fgt/CN=pengy fgt, issuer: /C=MY/O=Pengy Sdn Bhd/CN=pengy-fgt.com

FGFMs: > There are totally 1 CAs, store: 0x7fb82b6670a0
FGFMs: > CA <0>: subject <support>, issuer <support>
FGFMs: + Added ca pengy-fgt.com/pengy.com from file to store
FGFMs: + Added ca pengy.com/pengy.com from file to store  <-- root CA certificate is loaded in memory 
FGFMs: ++ Loaded ca from file CA_Cert_2
FGFMs: Loaded CAs to store
FGFMs: > There are totally 2 CAs, store: 0x7fb82b6671e0
FGFMs: > CA <0>: subject <pengy-fgt.com>, issuer <pengy.com>
FGFMs: > CA <1>: subject <pengy.com>, issuer <pengy.com> 

 

If the root CA certificate is not installed in FortiGate, the FGFM initialization will fail:

 

FGFMs: Installed local cert /etc/cert/local/root_fgt_cert.cer, subject: /C=MY/O=pengy_fgt/CN=pengy fgt, issuer: /C=MY/O=Pengy Sdn Bhd/CN=pengy-fgt.com
FGFMs: > There are totally 1 CAs, store: 0x7fb82b6670a0
FGFMs: > CA <0>: subject <support>, issuer <support>
FGFMs: X509_verify_cert ca CA_Cert_2 failed, error: unable to get local issuer certificate!
FGFMs: Failed to add CAs to store
FGFMs: failed to load CAs

 

The same process will occur on FortiManager:

 

FGFMs: __load_all_ca_chain: cache root-cert.cer
FGFMs: __load_all_ca_chain: cache intermediate-cert.cer
FGFMs: __load_all_ca_chain: cache Fortinet_CA.cer
FGFMs: __load_all_ca_chain: cache Fortinet_CA2.cer
FGFMs: __load_all_ca_chain: cache Fortinet_SUBCA.cer
FGFMs: Loaded ca /etc/cert/ca/Fortinet_CA.cer
FGFMs: Loaded ca /etc/cert/ca/Fortinet_SUBCA.cer
FGFMs: Loaded ca /etc/cert/ca/Fortinet_CA2.cer
FGFMs: Loaded ca /etc/cert/ca/intermediate-cert.cer
FGFMs: __load_ca: load CA pengy-fgt.com/pengy.com
FGFMs: Loaded ca /etc/cert/ca/root-cert.cer
FGFMs: > added an additional CA /etc/cert/ca/root-cert.cer just now
FGFMs: ssl_load_ca: load 5 CAs

 

FortiManager will not be able to initialized FGFM communication if the root CA certificate cannot be found and loaded into memory:

 

FGFMs: __load_all_ca_chain: cache intermediate-cert.cer
FGFMs: __load_all_ca_chain: cache Fortinet_CA.cer
FGFMs: __load_all_ca_chain: cache Fortinet_CA2.cer
FGFMs: __load_all_ca_chain: cache Fortinet_SUBCA.cer
FGFMs: Loaded ca /etc/cert/ca/Fortinet_CA.cer
FGFMs: Loaded ca /etc/cert/ca/Fortinet_SUBCA.cer
FGFMs: Loaded ca /etc/cert/ca/Fortinet_CA2.cer
FGFMs: ssl_load_ca: a root CA is not found for pengy-fgt.com[pengy.com], skip it
FGFMs: ssl_load_ca: load 3 CAs

###

FGFMs: Root issuer matched, local=remote=pengy-fgt.com
FGFMs: ssl_proto.c,642: TLSv1.3 SSLv3/TLS write certificate
FGFMs: ssl_proto.c,642: TLSv1.3 TLSv1.3 write server certificate verify
FGFMs: ssl_proto.c,642: TLSv1.3 SSLv3/TLS write finished
FGFMs: ssl_proto.c,642: TLSv1.3 TLSv1.3 early data
FGFMs: ssl_proto.c,642: TLSv1.3 TLSv1.3 early data
FGFMs: - Cert verification error: self-signed certificate in certificate chain
FGFMs: - Remote issuer: pengy.com
FGFMs: ssl_proto.c,744: TLSv1.3 write fatal alert: unknown CA
FGFMs: ssl_proto.c,759: TLSv1.3 error

 

Related articles:

Technical Tip: Setup custom certificate for FGFM protocol

737
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.