Description
This article describes how to set up a custom certificate to use for the FortiManager connection between FortiManager and the managed FortiGates.
Scope
FortiManager from version 6.2.3.
FortiGate from version 6.2.3.
Solution
Importing the certificates:
- Upload the CA certificate under the FortiManager and the FortiGate CA certificate section:
How to import a CA certificate in FortiManager is explained here: Technical Note: Import CA certificates in FortiManager or FortiAnalyzer.
How to import CA certificate in FortiGate is explained here: Docs: FortiOS – CA Certificate.
- Import the signed server certificates (and keys) as local certificates. How to import them depends on the used enrollment method and the specific versions of FortiManager and FortiGates:
FortiManager documentation: Local certificates.
FortiGate documentation: Procuring and importing a signed SSL certificate.
Configuration:
NOTE: When the settings below are changed and the end command is used, the FortiManager tunnels between the FortiManager and all FortiGates will go down.
Direct access to the managed FortiGates would be required in order to change their central management configuration accordingly.
The FortiManager certificate settings are only available in the CLI.
- FortiManager configuration:
# config system global
set fgfm-ca-cert "<CA_Certificate_Name>" <- defines which authority the FortiGate certificate must be signed by.
set fgfm-local-cert "<Local-Server_Certificate_Name>" <- defines which local certificate use on port TCP/541.
end
- FortiGate configuration:
# config system central management
set local-cert "<Local-Server_Certificate_Name>" <- defines which local certificate to be used on port TCP/541.
set ca-cert "<CA_Certificate_Name>" <- defines which authority the FortiManager certificate must be signed by.
end
Example:
FortiManager side:
# config system global
set fgfm-ca-cert “RootCA”
set fgfm-local-cert “cert_fmg”
end
FortiGate side:
# config system central-management
set local-cert "cert_fgt"
set ca-cert "RootCA"
end
Troubleshooting:
The following CLI debug can be used to troubleshoot FortiManager tunnel issues. The output also shows certificate information during the TLS negotiation phase.
FortiManager:
# diag debug application fgfmsd 255 {filter optional}
# diag debug timestamp enable
# diag debug enable
FortiGate:
# diag debug application fgfmd -1
# diag debug console timestamp enable
# diag debug enable
External PC, with 'openssl' installed, can be used to verify that the correct certificate chain is used by the units:
openssl s_client -showcerts -connect <address>:<port>
nmap --script ssl-enum-ciphers <address> -p <port>
Related Articles:
Technical Note: Import CA certificates in FortiManager or FortiAnalyzer
Technical Note: Configure SSL certificate for the FortiManager / FortiAnalyzer admin GUI v5.4
Technical Tip: TLS and the use of Digital Certificates
Troubleshooting Tip: How to troubleshoot connectivity issues between FortiGate and FortiManager
Technical Tip: How to setup a custom certificate regarding OFTP protocol
Technical Tip: Different application of local certificate for FortiManager/FortiAnalyzer
