I followed these steps to import a CA certificate and key for decryption:
The certificate now shows up in Local CA certificates. However, in FortiManager > Policy & Objects, I do not see this certificate as available in the SSL Inspection profile.
How can I use this certificate for SSL decryption when configuring from FortiManager?
If I try to do it locally on the firewall, the CA certificate is available in the profile, just not in FortiManager.
Thanks,
Solved! Go to Solution.
Hey bbartik - did you upload the CA certificate to FortiGate directly?
If yes, FortiManager would not be aware of the certificate, and you need to either import policies again (that should add the certificate to ADOM objects as well, I believe).
The certificates in question should be under Dynamic Local Certificates (depends a bit on firmware version):
from a 7.4 FortiManager for example.
These certificates are essentially placeholders on FortiManager, mapped to specific CA certificates on the individual FortiGates, and created during policy import.
As an alternative, you can simply create a certificate in FortiManager in the local dynamic certificates, delete the certificate you currently have on FortiGate, then set up the inspection profile in FortiManager, select the certificate and push both profile AND certificate in one go.
Try navigating to Policy & objects > Objects Configurations > CLI Configurations > Objects > vpn > certificate > ca
* If CLI Configurations tab is not visible, you can enable via Tools > Feature Visibility > CLI Configurations > Objects
It still doesn't show up as available in the SSL profile. Did you test that?
Hey bbartik - did you upload the CA certificate to FortiGate directly?
If yes, FortiManager would not be aware of the certificate, and you need to either import policies again (that should add the certificate to ADOM objects as well, I believe).
The certificates in question should be under Dynamic Local Certificates (depends a bit on firmware version):
from a 7.4 FortiManager for example.
These certificates are essentially placeholders on FortiManager, mapped to specific CA certificates on the individual FortiGates, and created during policy import.
As an alternative, you can simply create a certificate in FortiManager in the local dynamic certificates, delete the certificate you currently have on FortiGate, then set up the inspection profile in FortiManager, select the certificate and push both profile AND certificate in one go.
Hi Debbie, thank you, using what you wrote and also finding this link below I was able to create dynamic "placeholder" certificate. Thanks!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1738 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.