Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
GiuseppeB
New Contributor III

deploying ssl decryption cert using forticlient/fortigate

Hello,

 

im wondering if there is a way to deploy the cert for ssl decryption to all users? I dont want to do it manually for everyone, we dont have on prem DC.

 

Is there a way to push the cert to the client using forticlient?

 

G

6 REPLIES 6
amouawad
Staff
Staff

Yes there is; you can use EMS to push out the SSL certificate to all registered FortiClients. Under Endpoint Profiles > System Settings there is an option to install CA certificate on client.

GiuseppeB
New Contributor III

Hello,

 

thanks for the reply, exist any scenario to deploy what i want without the use of EMS, so only with the interation with fortigate/forticlient?

jhussain_FTNT

Hi,

 

You need to go either with EMS server or with pushing via the group policy via the DC. There is no other option to send to Forticlient.

 

Regards

Jamal

Cajuntank

How do you manage your user devices currently? You said you don't have a on-prem DC, so does this mean you have a DC in Azure maybe? Are you maybe using a MDM like InTune or AirWatch, etc... You can deploy the certificate to your devices via your MDM.

GiuseppeB
New Contributor III

The question I asked arises because before buying fortigate I had Palo Alto, and with global protect you had the opportunity to push the deep-inspection certificate directly from globalprotect,
so I thought that on the fortinet side there was a similar system that did not provide for an additional application such as EMS.

 

We don't have a DC, the company is very small and it's not necessary with the current infrastructure.

Cajuntank

Hmmm...someone might come with some other automated GUI way to do this, but if you don't have any form of device management at your disposal, then you will have to rely on yourself or the user to perform this task. The task can be simplified from the user's side of things by use of a script (and this is making some assumptions as you did not say what type of devices you have, so I am going to assume Windows). This gets into the weeds quick if you are not a scripter, but the idea would be that you have your users run this script (maybe you zip the cert and script up, send it via email with instructions on what to do, etc...) and it installs the certificate into the correct cert store on their computer. You can do a simple Google search for "script to install certificate in trusted root" for example and dive down that rabbit hole.

 

Note: adding as well to this, you might want to consider some form of MDM for this and future needs of device management. I know you said your org was small. ManageEngine for example offers a free MDM for up to 25 devices. I don't use theirs, but I was just using them as an example due to their free offering. I'm sure others have something similar you could investigate.

Top Kudoed Authors