Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bbartik
New Contributor

Created on ‎12-05-2023 04:22 PM Edited on ‎02-26-2024 05:37 AM By Community Manager

FortiManager - Custom CA certificate for SSL Decryption

I followed these steps to import a CA certificate and key for decryption:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-import-the-CA-certificate-for-full-...

 

The certificate now shows up in Local CA certificates. However, in FortiManager > Policy & Objects, I do not see this certificate as available in the SSL Inspection profile. 

 

How can I use this certificate for SSL decryption when configuring from FortiManager?

 

If I try to do it locally on the firewall, the CA certificate is available in the profile, just not in FortiManager.

 

Thanks,

626
0 Kudos
1 Solution
Debbie_FTNT
Staff
Staff
In response to bbartik

Created on ‎12-06-2023 01:28 AM

Hey bbartik - did you upload the CA certificate to FortiGate directly?

If yes, FortiManager would not be aware of the certificate, and you need to either import policies again (that should add the certificate to ADOM objects as well, I believe).

The certificates in question should be under Dynamic Local Certificates (depends a bit on firmware version):

image.png

from a 7.4 FortiManager for example.
These certificates are essentially placeholders on FortiManager, mapped to specific CA certificates on the individual FortiGates, and created during policy import.
As an alternative, you can simply create a certificate in FortiManager in the local dynamic certificates, delete the certificate you currently have on FortiGate, then set up the inspection profile in FortiManager, select the certificate and push both profile AND certificate in one go.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

View solution in original post

577
4 REPLIES 4
jasonhong
Staff
Staff

Created on ‎12-05-2023 05:07 PM

Try navigating to Policy & objects > Objects Configurations > CLI Configurations > Objects > vpn > certificate > ca

 

* If CLI Configurations tab is not visible, you can enable via Tools > Feature Visibility > CLI Configurations > Objects

608
bbartik
New Contributor

Created on ‎12-05-2023 09:54 PM

It still doesn't show up as available in the SSL profile. Did you test that?

585
0 Kudos
Debbie_FTNT
Staff
Staff
In response to bbartik

Created on ‎12-06-2023 01:28 AM

Hey bbartik - did you upload the CA certificate to FortiGate directly?

If yes, FortiManager would not be aware of the certificate, and you need to either import policies again (that should add the certificate to ADOM objects as well, I believe).

The certificates in question should be under Dynamic Local Certificates (depends a bit on firmware version):

image.png

from a 7.4 FortiManager for example.
These certificates are essentially placeholders on FortiManager, mapped to specific CA certificates on the individual FortiGates, and created during policy import.
As an alternative, you can simply create a certificate in FortiManager in the local dynamic certificates, delete the certificate you currently have on FortiGate, then set up the inspection profile in FortiManager, select the certificate and push both profile AND certificate in one go.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
578
bbartik
New Contributor
In response to Debbie_FTNT

Created on ‎12-06-2023 12:30 PM

Hi Debbie, thank you, using what you wrote and also finding this link below I was able to create dynamic "placeholder" certificate. Thanks!

 

https://community.fortinet.com/t5/FortiManager/Technical-Note-How-to-manage-Local-certificates-from/...

560
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.