Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Antoine
New Contributor II

Subordinate CA certificate showed within local (end-entity), not within Fortinet CA certs

I have created a new certificate request for local certificates (using the GUI), using ECDSA p256 cryptographic parameters.

Then I signed it at my root CA with a template of subordinate CA (basic constraint cA:TRUE); and I imported the signed certificate back into the FG. Of course the certificate of the root CA is itself trusted by the FG.

However, the new certificate does not appear in the GUI along the "local CA certificates" as I would expect, rather along the other "certificates." Is it correct? or is it a simple GUI bug?

 

I do know that at the CLI level all those certificates are handled jointly, so I do not believe this could have a functional impact. Also I am able to correctly select the new (sub) CA for deep inspection, and it works flawlessly.

3 REPLIES 3
boneyard
Valued Contributor

which version, in 6.2 i have the sub CA listed under: Remote CA Certificate

Antoine
New Contributor II

As I marked as a tag, I was seeing that on 6.0 (actually 6.0.11). However it seems to me the same thing is occurring on 6.2.5 as well: the sub-CA certificate which the device has the key for appears as "Local certificate".

 

Did you generate the private key for the subordinate CA on your device (as opposed to importing the Sub-CA certificate, along with its key, into the Fortigate)?

 

Also, I agree Sub-CA certificates for which the device does NOT have the private key would appear as "Remote CA"/"External CA" certificates, as one can expect (which is what confuses me, done for ones but not others.)

boneyard
Valued Contributor

yeah, sorry didnt notice the tag.

 

did some testing around this and you can make the argument it works ok, but you can also say it doesnt.

 

if you load a certificate with key it ends up at local.

 

if it is a the root CA it shows up at local CAs, if it is an intermediate / subordinate CA it ends up at certificates. doesnt seem to matter if a local key or imported key is used.

 

contact your Fortinet sales contact and request the sub CA category in the GUI

 

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors