Hi,
I have got FortiGate 100F v6.4.7 build 1911 (GA) and I tried to implement cert from my ADCS to use a safe URL via FQDN.
I apply a certificate here:
but when I use URL https://fortigate.domain.local I have an untrusted certificate because I see a self-sign cert from Fortigate.
View from CLI:
View from the website:
View of implemented cert:
Where do I need to change to read my cert on a website?
In the case it is required to configure a different presented certificate, the parameter is:
#config user setting
set auth-cert <auth-cert>
set auth-ca-cert <auth-ca-cert>
Some more details here: Technical Tip: Using secure authentication (HTTPS) on a FortiGate and redirecting the authentication...
I try it, but I have got failure.
I add rootCA from my ADCS srv here:
and I tried to use set-auth-ca-cert and I got error:
that means it is either invalid for this purpose, or not imported correctly.
Check the same command with "?" at the end to see the available certificates:
set auth-ca-cert ?
That looks like this:
RootCA is valid.
Does someone have any ideas?
I add cert via VMAD Global ->System->Settings
And I see this certificate via fqdn, but it's untrusted:
Any suggestions?
the certificate must be signed by a CA authority. No certificate that is issued to a ".local" domain can be trusted. The certificate verification is done against a public CA authority by the browser, so any certificate that you self-signed locally is only valid locally (the browser can't verify it is trusted with the public CA authority)
Actually web browsers does validate certs against their CA store.
MSIE, Edge, Chrome on Windows does use system Cert Storage (certlm). Or shorter, through chrome://settings/security
FireFox does use it's own internal cert storage.
Both are looking to who signed cert you are trying to use, or which is presented to browser as server cert. And so browser validates if server cert itself is valid, or if it is signed by "Trusted Root Certificate Authority" (in short "CA")as if it is, then trust is inherently applied also to certs signed by that CA.
And so you can have your own certs, issued/signed by your own CA, but then you have to add cert of that Root CA into Trusted Root CA in every browser you'll use. MSFT do have a shortcut for domain members as it could be pushed to workstations via GPO (but that's a bit out of scope in here).
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Allow me to repeat my suggestions/questions from my first reply:
1, Does this certificate contain the fortigate.xxx.local FQDN in its SAN field? This is required by modern browsers, and no screenshot so far suggests that it is present. (screenshots only show the CN, which alone is insufficient)
2, When connected to the HTTPS GUI in Chrome, open the developer tools panel (F12), then go to the Security tab, and there you should see the reason why the certificate is not trusted.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.