Technical Tip: How to manage Local certificates from FortiManager and use in SSL/SSH inspection profiles

vkumar_FTNT · ‎10-22-2014

Description

This articles describes how to import local certificates under FortiManager. Local certificates can be created and CA certificates can be imported but there is no option to import local certificates under FortiManager. To create a local certificate please refer to the this cookbook.

Scope

Solution

1. Import the local certificate onto the FortiGate directly then go to System>Certificates. Click on Import and select the certificate & click on OK. This will cause the FortiGate & FortiManager to go out of synchronisation.

2. In order to get it back into sync retrieve the running config of the FortiGate after having the local certificate imported onto the FortiGate. Now manually retrieve the config, go to System > click on the device > Dashboard >

Configuration and Installation Status > Revision History (icon on the right of Total Revisions). Click on “Retrieve Config”. This would retrieve the running config on the FortiGate after which the status should show as synchronised.

3. Create a Dynamic object & mapping, under with a name under Policy & Objects > Object Configuration > Dynamic Objects > Local Certificates. When creating a Dynamic mapping it is important to select the correct device on which the certificate.

If the local certificate does not show up on the GUI, go to Tools> Display Options > Check all and click OK.

4. Next under Object Configurations > Security profiles > SSL/SSH Inspection. Edit SSL/SSH profile under SSL inspection options > CA certificate > select the created certificate. Once added click ok

5. Once the above steps have been completed, use the same SSL/SSH inspection profile and push it to the FortiGates to see the Local certificate imported.