FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
Article Id 242730



This article describes how to set up a custom certificate to use for the FortiManager connection between FortiManager and the managed FortiGates.




FortiManager from version 6.2.3.

FortiGate from version 6.2.3.




Importing the certificates:


Upload the CA certificate under the FortiManager and the FortiGate CA certificate section:
How to import a CA certificate in FortiManager is explained here: Technical Note: Import CA certificates in FortiManager or FortiAnalyzer.
How to import CA certificate in FortiGate is explained here: Docs: FortiOS – CA Certificate.

Import the signed server certificates (and keys) as local certificates. How to import them depends on the used enrollment method and the specific versions of: FortiManager and FortiGates:
FortiManager documentation: Local certificates.
FortiGate documentation: Procuring and importing a signed SSL certificate.


Note: From version 7.2.5/7.4.3, there is a requirement to include the SN.


Under FortiManager, change the following setting to temporarily overcome this requirement:


config system global

set fgfm-peercert-withoutsn enable




NOTE: When the settings below are changed and the end command is used, the FortiManager tunnels between the FortiManager and all FortiGates will go down.


Direct access to the managed FortiGates would be required in order to change their central management configuration accordingly.

The FortiManager certificate settings are only available in the CLI.

FortiManager configuration:


config system global
    set fgfm-ca-cert "<CA_Certificate_Name>"  <- defines which authority the FortiGate certificate must be signed by.
    set fgfm-local-cert "<Local-Server_Certificate_Name>" <- defines which local certificate use on port TCP/541.


FortiGate configuration:


config system central management
   set local-cert "<Local-Server_Certificate_Name>" <- Defines which local certificate is to be used on port TCP/541.
   set ca-cert "<CA_Certificate_Name>" <- Defines which authority the FortiManager certificate must be signed by.


FortiManager side:


config system global
    set fgfm-ca-cert “RootCA”
    set fgfm-local-cert “cert_fmg”


FortiGate side:


config system central-management
    set local-cert "cert_fgt"
    set ca-cert "RootCA"


The following CLI debug can be used to troubleshoot FortiManager tunnel issues. The output also shows certificate information during the TLS negotiation phase.



diag debug application fgfmsd 255 {filter optional}
diag debug timestamp enable

diag debug enable



diag debug application fgfmd -1
diag debug console timestamp enable

diag debug enable

An external PC, with 'openssl' installed, can be used to verify that the correct certificate chain is used by the units:

openssl s_client -showcerts -connect <address>:<port>
nmap --script ssl-enum-ciphers <address> -p <port>




Related articles: