|
FortiManager allows the use of an intermediate certificate during the establishment of an FGFM tunnel between itself and a FortiGate device:
- Install local certificates on both FortiManager and FortiGate, and intermediate and root CA certificates so that both sides can verify each other's local certificates.
 Local certificate, intermediate and root CA certificates have been imported in FortiManager.
 Local certificate, intermediate and root CA certificates have been imported in FortiGate.
- Make the necessary configurations on FortiManager and FortiGate CLI so that the correct certificates are used during the FGFM communication.
On FortiManager:
config system global
set fgfm-local-cert <local FMG cert>
set fgfm-ca-cert <intermediate cert>
end
On FortiGate:
config system central-management
set local-cert <local FGT cert>
set ca-cert <intermediate cert>
end
As FGFM communication can be initiated from either side (FortiGate or FortiManager), it is usually advisable to install the root CA cert on both sides. Both sides will first validate the intermediate CA certificate that was used to sign the local certificate by searching for the root CA certificate that was used to sign the intermediate CA certificate.
The following FortiGate debug shows how the process is initialized:
FGFMs: Installed local cert /etc/cert/local/root_fgt_cert.cer, subject: /C=MY/O=pengy_fgt/CN=pengy fgt, issuer: /C=MY/O=Pengy Sdn Bhd/CN=pengy-fgt.com
FGFMs: > There are totally 1 CAs, store: 0x7fb82b6670a0
FGFMs: > CA <0>: subject <support>, issuer <support>
FGFMs: + Added ca pengy-fgt.com/pengy.com from file to store
FGFMs: + Added ca pengy.com/pengy.com from file to store <-- root CA certificate is loaded in memory
FGFMs: ++ Loaded ca from file CA_Cert_2
FGFMs: Loaded CAs to store
FGFMs: > There are totally 2 CAs, store: 0x7fb82b6671e0
FGFMs: > CA <0>: subject <pengy-fgt.com>, issuer <pengy.com>
FGFMs: > CA <1>: subject <pengy.com>, issuer <pengy.com>
If the root CA certificate is not installed in FortiGate, the FGFM initialization will fail:
FGFMs: Installed local cert /etc/cert/local/root_fgt_cert.cer, subject: /C=MY/O=pengy_fgt/CN=pengy fgt, issuer: /C=MY/O=Pengy Sdn Bhd/CN=pengy-fgt.com
FGFMs: > There are totally 1 CAs, store: 0x7fb82b6670a0
FGFMs: > CA <0>: subject <support>, issuer <support>
FGFMs: X509_verify_cert ca CA_Cert_2 failed, error: unable to get local issuer certificate!
FGFMs: Failed to add CAs to store
FGFMs: failed to load CAs
The same process will occur on FortiManager:
FGFMs: __load_all_ca_chain: cache root-cert.cer
FGFMs: __load_all_ca_chain: cache intermediate-cert.cer
FGFMs: __load_all_ca_chain: cache Fortinet_CA.cer
FGFMs: __load_all_ca_chain: cache Fortinet_CA2.cer
FGFMs: __load_all_ca_chain: cache Fortinet_SUBCA.cer
FGFMs: Loaded ca /etc/cert/ca/Fortinet_CA.cer
FGFMs: Loaded ca /etc/cert/ca/Fortinet_SUBCA.cer
FGFMs: Loaded ca /etc/cert/ca/Fortinet_CA2.cer
FGFMs: Loaded ca /etc/cert/ca/intermediate-cert.cer
FGFMs: __load_ca: load CA pengy-fgt.com/pengy.com
FGFMs: Loaded ca /etc/cert/ca/root-cert.cer
FGFMs: > added an additional CA /etc/cert/ca/root-cert.cer just now
FGFMs: ssl_load_ca: load 5 CAs
FortiManager will not be able to initialized FGFM communication if the root CA certificate cannot be found and loaded into memory:
FGFMs: __load_all_ca_chain: cache intermediate-cert.cer
FGFMs: __load_all_ca_chain: cache Fortinet_CA.cer
FGFMs: __load_all_ca_chain: cache Fortinet_CA2.cer
FGFMs: __load_all_ca_chain: cache Fortinet_SUBCA.cer
FGFMs: Loaded ca /etc/cert/ca/Fortinet_CA.cer
FGFMs: Loaded ca /etc/cert/ca/Fortinet_SUBCA.cer
FGFMs: Loaded ca /etc/cert/ca/Fortinet_CA2.cer
FGFMs: ssl_load_ca: a root CA is not found for pengy-fgt.com[pengy.com], skip it
FGFMs: ssl_load_ca: load 3 CAs
###
FGFMs: Root issuer matched, local=remote=pengy-fgt.com
FGFMs: ssl_proto.c,642: TLSv1.3 SSLv3/TLS write certificate
FGFMs: ssl_proto.c,642: TLSv1.3 TLSv1.3 write server certificate verify
FGFMs: ssl_proto.c,642: TLSv1.3 SSLv3/TLS write finished
FGFMs: ssl_proto.c,642: TLSv1.3 TLSv1.3 early data
FGFMs: ssl_proto.c,642: TLSv1.3 TLSv1.3 early data
FGFMs: - Cert verification error: self-signed certificate in certificate chain
FGFMs: - Remote issuer: pengy.com
FGFMs: ssl_proto.c,744: TLSv1.3 write fatal alert: unknown CA
FGFMs: ssl_proto.c,759: TLSv1.3 error
|
