FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.



This article describes that by design FortiManager install objects being referenced on 'Policies' or 'Device Settings' like 'VPN SSL Settings'. However, there are cases where FortiManager install objects that are not used  anywhere such as FSSO polling objects, address and profile groups, and CA certificates.



This KB article will explain why ForitManager pushes CA Certificates.



When installing a policy package for the first time on a FortiGate, it is normal to see FortiManager  push a CA Certificate with the name of the ADOM where FortiGate is located.


In this example,  'FGT Mexico' is on ADOM 'SD'.




Install preview configuration shows VPN certificate CA with the name of  "SD_CA2" where 'SD' is the name of ADOM and 'CA2' is doing reference to a CA Certificate.

# config vpn certificate ca
    edit "SD_CA2"
    set ca "-----BEGIN CERTIFICATE-----
    set range global


This CA Certificate can be found on Policy & Objects > Object Configurations > Advanced > CA Certificates.




Why is this CA Certificate is being pushed if there is no usage?


The intention to install a Certificate Authority (CA) is for FortiGate to identify whom it is communicating with (FortiManager ADOM). Its objective is to make FGFM communication a secure place for FortiGate. CA Certificate is not a normal certificate so it is not available on config system central-management. CA Certificate normally are used as reference for normal certificate but not a CLI configuration used itself.


 CA Certificate looks like.





There are rare cases where  'This CA certificate is duplicated' upon  installing policy package. In those cases the CA certificate on Policy and Objects can be removed or open a ticket with eTAC FortiManager team to analyze further.