FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
axel_gonzalez_FTNT

 

Description

This article describes that by design FortiManager install objects being referenced on 'Policies' or 'Device Settings' like 'VPN SSL Settings'. However, there are cases where FortiManager install objects that are not used  anywhere such as FSSO polling objects, address and profile groups, and CA certificates.

 

Scope

This KB article will explain why ForitManager pushes CA Certificates.

 

Solution

When installing a policy package for the first time on a FortiGate, it is normal to see FortiManager  push a CA Certificate with the name of the ADOM where FortiGate is located.

 

In this example,  'FGT Mexico' is on ADOM 'SD'.

 

axel_gonzalez_FTNT_0-1651093403054.png

 

Install preview configuration shows VPN certificate CA with the name of  "SD_CA2" where 'SD' is the name of ADOM and 'CA2' is doing reference to a CA Certificate.

 
# config vpn certificate ca
    edit "SD_CA2"
    set ca "-----BEGIN CERTIFICATE-----
.
.
.
-----END CERTIFICATE-----"
    set range global
    next
        end

 

This CA Certificate can be found on Policy & Objects > Object Configurations > Advanced > CA Certificates.

 

axel_gonzalez_FTNT_1-1651093626796.png

 

Why is this CA Certificate is being pushed if there is no usage?

 

The intention to install a Certificate Authority (CA) is for FortiGate to identify whom it is communicating with (FortiManager ADOM). Its objective is to make FGFM communication a secure place for FortiGate. CA Certificate is not a normal certificate so it is not available on config system central-management. CA Certificate normally are used as reference for normal certificate but not a CLI configuration used itself.

 

 CA Certificate looks like.

 

axel_gonzalez_FTNT_0-1651094727846.png

 

Bonus.

There are rare cases where  'This CA certificate is duplicated' upon  installing policy package. In those cases the CA certificate on Policy and Objects can be removed or open a ticket with eTAC FortiManager team to analyze further.