Description
This article describes that by design FortiManager install objects being referenced on 'Policies' or 'Device Settings' like 'VPN SSL Settings'. However, there are cases where FortiManager install objects that are not used anywhere such as FSSO polling objects, address and profile groups, and CA certificates.
Scope
This KB article will explain why ForitManager pushes CA Certificates.
Solution
When installing a policy package for the first time on a FortiGate, it is normal to see FortiManager push a CA Certificate with the name of the ADOM where FortiGate is located.
In this example, 'FGT Mexico' is on ADOM 'SD'.
Install preview configuration shows VPN certificate CA with the name of "SD_CA2" where 'SD' is the name of ADOM and 'CA2' is doing reference to a CA Certificate.
# config vpn certificate ca
edit "SD_CA2"
set ca "-----BEGIN CERTIFICATE-----
.
set ca "-----BEGIN CERTIFICATE-----
.
.
.
-----END CERTIFICATE-----"
set range global
next
end
-----END CERTIFICATE-----"
set range global
next
end
This CA Certificate can be found on Policy & Objects > Object Configurations > Advanced > CA Certificates.
Why is this CA Certificate is being pushed if there is no usage?
The intention to install a Certificate Authority (CA) is for FortiGate to identify whom it is communicating with (FortiManager ADOM). Its objective is to make FGFM communication a secure place for FortiGate. CA Certificate is not a normal certificate so it is not available on config system central-management. CA Certificate normally are used as reference for normal certificate but not a CLI configuration used itself.
CA Certificate looks like.
Bonus.
There are rare cases where 'This CA certificate is duplicated' upon installing policy package. In those cases the CA certificate on Policy and Objects can be removed or open a ticket with eTAC FortiManager team to analyze further.
