Assign CA certificate to Fortigate https WAN interface
Solution 1
Upload your certificates to the firewall, Fortigate certificate user guide will help you out on this. Now to use this certificate for HTTPS admin access. Use the following CLI commands:
config system global
set admin-server-cert <certname>
end
Solution 2
Okay this is what I did on 5.2 so that I could use a certificate signed by our internal CA:
- System->Certificates->Local Certificates->Generate (this will generate the CR)
- Check-click the newly created CR and Download it and process it on your favorite CA
- System->Certificates->Local Certificates->Import (this will import the signed cert), set Type to 'Local Certificate if it isn't already. The FortiGate should now have the CA info filled in for what was the CR.
- Follow instructions above for setting the certificate as the admin interface cert:
Note this article that helps a little bit. However it's a little incomplete:
- First do a 'conf system global'
- Then do a 'set admin-server-cert ?' to pull up a list
- Then 'set admin-server-cert < certname >' and then end
Related videos on Youtube
04 : 12
06 : 45
18 : 23
13 : 30
02 : 17
Myles Gray
Updated on September 18, 2022Comments
-
Myles Gray over 1 year
I have a Fortigate 80C that allows remote administration via https.
I access the URL and all fine but the one thing that really bugs me is that is brings up "untrusted connection" in chrome with the whole "click to proceed" thing.
At the moment the cert is self-signed by the Fortigate unit.
On the unit there are 5 CA signed certs for use but I cannot figure out how to assign these certs to the routers interfaces.
Does anyone know how to assign the CA signed certs to the WAN interface on port 443 so it wont ask me to confirm the cert all the time?
(I know the traffic is still encrypted but it is still nice to have)
-
LaikaN57 over 12 yearsSorry I downvoted, but this is a low quality answer for multiple reasons. 1) You simply provided a link with no explanation of what the link contains 2) the link goes to a 60+ page PDF without any hints as to where in the document an answer might be found 3) as best I can tell, the document does not contain an answer to the question. Link-only answers are heavily discouraged here; see meta.stackexchange.com/questions/8231
-
Martijn over 9 yearsThanks, I had a hard time figuring this out. It's really weird that there doesn't seem to be a GUI option for this.
-
David Tonhofer over 7 yearsThis seems to be for another problem: Using packet inspection on encrypted data passing through -
David Tonhofer over 7 yearsConfirmed to work on a FortiGate 30D. The first part is the same procedure as used for VPN SSL certificate explained in this FortiNet brochure. The second part is the key. The interface is also unclear what to do when you have the leaf certificate, a self-signed root certificate and (say) 2 intermediate certificates. In the end, I uploaded the CA root and the 2 intermediate certs as "CA Certificates" in System > Certificates, which is not really true but apparently works.
-
David Tonhofer over 7 yearsOne may also have to make the "Certificates" option visible first as it is initially hidden (why!). This is done by System -> Config -> Features -> Show More -> Certificates -> On
-
David Tonhofer over 7 yearsYet another resource which I haven't used actually: FortiOS Certificate Management: A step-by-step guide on managing certificates in FortiOS
