This article describes that by design FortiManager install objects being referenced on 'Policies' or 'Device Settings' like 'VPN SSL Settings'. However, there are cases where FortiManager install objects that are not used anywhere such as FSSO polling objects, address and profile groups, and CA certificates.
This KB article will explain why ForitManager pushes CA Certificates.
When installing a policy package for the first time on a FortiGate, it is normal to see FortiManager push a CA Certificate with the name of the ADOM where FortiGate is located.
In this example, 'FGT Mexico' is on ADOM 'SD'.
Install preview configuration shows VPN certificate CA with the name of "SD_CA2" where 'SD' is the name of ADOM and 'CA2' is doing reference to a CA Certificate.
This CA Certificate can be found on Policy & Objects > Object Configurations > Advanced > CA Certificates.
Why is this CA Certificate is being pushed if there is no usage?
The intention to install a Certificate Authority (CA) is for FortiGate to identify whom it is communicating with (FortiManager ADOM). Its objective is to make FGFM communication a secure place for FortiGate. CA Certificate is not a normal certificate so it is not available on config system central-management. CA Certificate normally are used as reference for normal certificate but not a CLI configuration used itself.
CA Certificate looks like.
Bonus.
There are rare cases where 'This CA certificate is duplicated' upon installing policy package. In those cases the CA certificate on Policy and Objects can be removed or open a ticket with eTAC FortiManager team to analyze further.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.