@Gabe_FTNT 

Thank you. If i follow this steps and replace self-signed with new digitaly signed certificate by my CA, will that create some impact on existing communication between collector--supervisor, and between agents--collector.

Note: everything is discovered and login in collector and agents is also connected to collector.

I'm not sure, as I haven't worked with it for a few years. I just had that link readily available when I saw your post. :smiling_face_with_smiling_eyes:
Please study the technical tip: How to check communication between collector and super from collector side that's linked in the previously shared link, as well as the documentation for the FortiSIEM version you're using, e.g. for 7.5.0: Configuring SSL Socket Certificates

Hi @networkm,

Unless you haven't configured otherwise, the Collectors and Workers will accept any kind of certificate (they accept the self-signed in the first place, so there is no need apply the CA to them here). You can enforce the certificate check, but this is not the default situation.

In our usual setups, we have a slightly different situation (we sign with public CAs and we do certificate stuff before growing the cluster), so I'd recommend you to schedule a maintenance window to be able to roll back and check.

Also, note, that some applications only do a certificate check from time to time, so it might take a day (or a reboot of all nodes) to ensure that everything works with the new certificates.

Best,

Christian

Hi @Secusaurus 

Thank you for your answer.

Collector is registered with supervisor via IP address. So he doesnt do certificate check.Also agent is connected to collector and doesnt have checked option for verify tls certificate.

Our goal is only when access web interface of supervisor to access it via hostname and to not recieve warning. As i understand you if we generate csr on supervisor, signed it with our CA and import that certificate it will not affect the communication mentioned above?

Thank you

Hi @networkm,

Yes, in my experience (production up to v7.3.x), the certificate for the GUI does not affect the rest of the configuration as long as you did not configure certificate checks manually (see the linked article from Gabriel).

Please do check this after changing the configuration, as I have no experience in changing the configuration while running, but only when doing this before setting up a Collector!

Side-note:

---

@networkm wrote:

Collector is registered with supervisor via IP address. So he doesnt do certificate check.

---

That's not perfectly correct: On the one hand, a certificate can be linked to IP-addresses as well (not only FQDNs). On the other hand, after the initial connection, the Collector takes the information you provided in Admin -> Settings -> Cluster Config. The FQDN or IP of the registration command is only used for this one command and the rest will be retrieved continuously from the Supervisor.

Best,

Christian

@Secusaurus 

Agree with side-note.

Regarding the certificate for the GUI i guess the technical tip mentioned by gabriel is ok to follow for changin self-signed?

Gabriel mentioned the two main articles

This one here talks about changing the certificate for the GUI access: https://community.fortinet.com/t5/FortiSIEM/Technical-Tip-How-to-apply-a-self-signed-or-certificate/...

This one talks about certificate verification inside the cluster: https://docs.fortinet.com/document/fortisiem/7.5.0/user-guide/686889/configuring-ssl-socket-certific...

If you don't do something of the second article, the first one should fulfill your needs.

Btw: In case you have firewall between your users and your cluster, you could consider providing the certificates on the firewall instead of the cluster.

Best,

Christian