Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Alaric
New Contributor

SSL Certificate For Management

Hello Everyone 
i have CA Server Microsoft in my network 

and i can use in deep inspection and Worked properly

but many time tries to create Certificate for MGMT Access in FWB and FGT and result It was not successful

please help me to Solve this problem 

i try create certificate with FQDN , IP  

 

 

1 Solution
seshuganesh
Staff
Staff

Hi Team,

 

You have to use normal certificate for selecting for management access, you should use either CA or sub CA for the SSL decryption.

Also, you have to use domain name as the subject alternative identifier and CN name as the modern browsers not accepting certificate with private IP.

Step-1: You will try to access firewall with some domain name.

Step-2: Domain name should point to firewall LAN IP in the internal DNS server.

Step-3: Install that CA in the specific machine.

Now you try to access, keep us posted

View solution in original post

3 REPLIES 3
pminarik
Staff
Staff

Hi Alaric,

 

In modern browsers, the certificate needs to contain the address used to access the GUI. This IP or FQDN needs to be included in the Subject Alternative Name (SAN) field of the certificate.

 

For example:

FortiGate accessed via https://192.0.2.1/... → Certificate SAN must include 192.0.2.1

FortiGate accessed via https://firewall.mydomain.com/... → Certificate SAN must include firewall.mydomain.com (or *.mydomain.com)

 

For a real-world example, you can inspect the certificate used for this Community website:

 TLS certificate SAN field for community.fortinet.comTLS certificate SAN field for community.fortinet.com

Notice the FQDN in the address bar at the top (this is what must be included in the certificate's SAN field), and the content of the SAN field of the certificate ("community.fortinet.com" included = certificate valid)

 

For the sake of completeness, the other usual certificate requirements are still in place (Non-exhaustive list: certificate must be within its validity period, must be signed by a CA trusted by your client-device, should not use SHA1 signature(no longer trusted)).

 

Can you confirm if you are including the correct SAN in your attempts already?

[ corrections always welcome ]
Debbie_FTNT
Staff
Staff

In addition to my colleague's comments, also note this:

- you need a SERVER certificate for management access, not a CA certificate as you need for deep inspection

- you need to upload that server certificate + key to FortiGate/FortiWeb

- you need to set that as HTTPS server certificate under Administration/System Settings so FortiGate/FortiWeb presents the certificate when you try to connect to it on the management interface.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
seshuganesh
Staff
Staff

Hi Team,

 

You have to use normal certificate for selecting for management access, you should use either CA or sub CA for the SSL decryption.

Also, you have to use domain name as the subject alternative identifier and CN name as the modern browsers not accepting certificate with private IP.

Step-1: You will try to access firewall with some domain name.

Step-2: Domain name should point to firewall LAN IP in the internal DNS server.

Step-3: Install that CA in the specific machine.

Now you try to access, keep us posted

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors