Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Alaric
New Contributor

Created on ‎04-20-2022 01:13 AM

SSL Certificate For Management

Hello Everyone 
i have CA Server Microsoft in my network 

and i can use in deep inspection and Worked properly

but many time tries to create Certificate for MGMT Access in FWB and FGT and result It was not successful

please help me to Solve this problem 

i try create certificate with FQDN , IP  

 

 

Labels:
1803
0 Kudos
1 Solution
seshuganesh
Staff
Staff

Created on ‎04-20-2022 07:15 AM

Hi Team,

 

You have to use normal certificate for selecting for management access, you should use either CA or sub CA for the SSL decryption.

Also, you have to use domain name as the subject alternative identifier and CN name as the modern browsers not accepting certificate with private IP.

Step-1: You will try to access firewall with some domain name.

Step-2: Domain name should point to firewall LAN IP in the internal DNS server.

Step-3: Install that CA in the specific machine.

Now you try to access, keep us posted

View solution in original post

1737
3 REPLIES 3
pminarik
Staff
Staff

Created on ‎04-20-2022 02:23 AM

Hi Alaric,

 

In modern browsers, the certificate needs to contain the address used to access the GUI. This IP or FQDN needs to be included in the Subject Alternative Name (SAN) field of the certificate.

 

For example:

FortiGate accessed via https://192.0.2.1/... → Certificate SAN must include 192.0.2.1

FortiGate accessed via https://firewall.mydomain.com/... → Certificate SAN must include firewall.mydomain.com (or *.mydomain.com)

 

For a real-world example, you can inspect the certificate used for this Community website:

 TLS certificate SAN field for community.fortinet.comTLS certificate SAN field for community.fortinet.com

Notice the FQDN in the address bar at the top (this is what must be included in the certificate's SAN field), and the content of the SAN field of the certificate ("community.fortinet.com" included = certificate valid)

 

For the sake of completeness, the other usual certificate requirements are still in place (Non-exhaustive list: certificate must be within its validity period, must be signed by a CA trusted by your client-device, should not use SHA1 signature(no longer trusted)).

 

Can you confirm if you are including the correct SAN in your attempts already?

[ corrections always welcome ]
1734
Debbie_FTNT
Staff
Staff

Created on ‎04-20-2022 02:37 AM

In addition to my colleague's comments, also note this:

- you need a SERVER certificate for management access, not a CA certificate as you need for deep inspection

- you need to upload that server certificate + key to FortiGate/FortiWeb

- you need to set that as HTTPS server certificate under Administration/System Settings so FortiGate/FortiWeb presents the certificate when you try to connect to it on the management interface.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
1731
seshuganesh
Staff
Staff

Created on ‎04-20-2022 07:15 AM

Hi Team,

 

You have to use normal certificate for selecting for management access, you should use either CA or sub CA for the SSL decryption.

Also, you have to use domain name as the subject alternative identifier and CN name as the modern browsers not accepting certificate with private IP.

Step-1: You will try to access firewall with some domain name.

Step-2: Domain name should point to firewall LAN IP in the internal DNS server.

Step-3: Install that CA in the specific machine.

Now you try to access, keep us posted

1738
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.