Any supported version of FortiPAM.

This article will use the following Fortinet products:

FortiPAM: Firmware version 1.1.2.

FortiAuthenticator: Firmware version 6.5.2 (FortiAuthenticator will be used to sign CSR generated on FortiPAM. This can be replaced with any other PKI environment (For example: Microsoft Certificate Server or any other Internal or External).

• Login to FortiPAM -> System -> Certificates -> Expand Create/Import -> Generate CSR.

• Here, IP is used in ID Type, but a Domain Name can be used as well.

• After filling in the required information, select OK to create a CSR request.
• Once the CSR is generated, double-click on it and download the CSR. This file will be sent to the CA, which will sign it and a certificate will be generated. The certificate will be imported to FortiPAM later.
• Log in to FortiAuthenticator and expand Certificate management -> End Entities -> Users -> On the right-hand side, select Import.

• After filling in the required information, select Import. 

• Once the certificate is ready, select the recently created certificate and select 'Export Certificate'. This will download a certificate, which will then be imported in FortiPAM.
• Next, log in to FortiPAM and expand System -> Certificates. Check that the Status of CSR 'FortiPAM_HTTPS' still shows 'Pending', because the certificate has not yet been imported into FortiPAM. 

• Select Create/Import and select Certificate.

• Select the certificate recently downloaded from FortiAuthenticator, then select Create and select OK to finalize the import of the certificate. 

• The certificate will be imported successfully, but it will not yet have been assigned. Log in to the FortiPAM CLI and run 'config system global'.

config firewall vip

    edit "fortipam_vip"

        set uuid b1040....

        set type access-proxy
        set extip 10.191.x.x
        set extintf "port1"
        set server-type https
        set extport 443
        ssl-certificate "FortiPAM_HTTPS"

    next

end

• For the new version 1.4.x, the above is configured under Network -> Interfaces (interface use for access proxy) -> GUI Portal.

• Now, the certificate will be added to FortiPAM. The next step will be to import the CA certificate in FortiPAM. Here, the FortiAuthenticator CA certificate is being added. Add the CA certificate which signs this FortiPAM certificate.

Note: If there are multiple CAs in the environment, for example, Root CA -> Intermediate CAs, all of the CAs must be imported in FortiPAM and also on the client machine. From there, open GUI access to FortiPAM. In short: the CA chain must be completed on both FortiPAM as well as on the client machine, as it will otherwise lead to certificate errors in browsers.

• The subject must contain the address the end station can resolve.
• Google Chrome and Microsoft Edge use a built-in Windows certificate store while Mozilla Firefox has its certificate store.
• Next, export the RootCA certificate from FortiAuthenticator and then import it into FortiPAM.

• Next, go to FortiPAM and expand System -> Certificates. On the right-hand side, select Create/Import and select CA Certificate. Select File and upload the add Root CA certificate. This will add the Root CA under the 'Remote CA Certificate' list.

• As the certificate is imported now, check the certificate status by opening a GUI console from Google Chrome.

Note: The 'RootCA' certificate must be trusted by the client machine. It has to be imported to the Trusted Root certificate authority store of the browser or Operating System.

Related documents:

Technical Tip: TLS and the use of Digital Certificates

Certificates - FortiPAM Administration Guide