Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bbartik
New Contributor

FortiManager - Custom CA certificate for SSL Decryption

I followed these steps to import a CA certificate and key for decryption:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-import-the-CA-certificate-for-full-...

 

The certificate now shows up in Local CA certificates. However, in FortiManager > Policy & Objects, I do not see this certificate as available in the SSL Inspection profile. 

 

How can I use this certificate for SSL decryption when configuring from FortiManager?

 

If I try to do it locally on the firewall, the CA certificate is available in the profile, just not in FortiManager.

 

Thanks,

1 Solution
Debbie_FTNT

Hey bbartik - did you upload the CA certificate to FortiGate directly?

If yes, FortiManager would not be aware of the certificate, and you need to either import policies again (that should add the certificate to ADOM objects as well, I believe).

The certificates in question should be under Dynamic Local Certificates (depends a bit on firmware version):

image.png

from a 7.4 FortiManager for example.
These certificates are essentially placeholders on FortiManager, mapped to specific CA certificates on the individual FortiGates, and created during policy import.
As an alternative, you can simply create a certificate in FortiManager in the local dynamic certificates, delete the certificate you currently have on FortiGate, then set up the inspection profile in FortiManager, select the certificate and push both profile AND certificate in one go.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

View solution in original post

4 REPLIES 4
jasonhong
Staff
Staff

Try navigating to Policy & objects > Objects Configurations > CLI Configurations > Objects > vpn > certificate > ca

 

* If CLI Configurations tab is not visible, you can enable via Tools > Feature Visibility > CLI Configurations > Objects

bbartik
New Contributor

It still doesn't show up as available in the SSL profile. Did you test that?

Debbie_FTNT

Hey bbartik - did you upload the CA certificate to FortiGate directly?

If yes, FortiManager would not be aware of the certificate, and you need to either import policies again (that should add the certificate to ADOM objects as well, I believe).

The certificates in question should be under Dynamic Local Certificates (depends a bit on firmware version):

image.png

from a 7.4 FortiManager for example.
These certificates are essentially placeholders on FortiManager, mapped to specific CA certificates on the individual FortiGates, and created during policy import.
As an alternative, you can simply create a certificate in FortiManager in the local dynamic certificates, delete the certificate you currently have on FortiGate, then set up the inspection profile in FortiManager, select the certificate and push both profile AND certificate in one go.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
bbartik

Hi Debbie, thank you, using what you wrote and also finding this link below I was able to create dynamic "placeholder" certificate. Thanks!

 

https://community.fortinet.com/t5/FortiManager/Technical-Note-How-to-manage-Local-certificates-from/...

Top Kudoed Authors