Fortinet Document Library

Version:

Version:


Table of Contents

Download PDF
Copy Link

Importing certificates for GUI access

To use a customized certificate for FortiADC Manager's GUI access, use either of the following two options to import the certificate.

 

Option 1: Importing the certificate from external location

Generate a Certificate Signing Request (CSR) on FortiADC Manager, and have it signed by a trusted Certification Authority (CA). This is done using a private key generated on FortiADC Manager during the CSR generation process.

  1. Generate the CSR with the following command:
    exec certificate local generate <cert_name>...
    The "cert_name" above is the administrative name of the certificate object in FortiADC Manager. Use tab and ? to discover all the options and parameters for the CSR. The "subject" should match the hostname (or possibly the IP address) used to access FortiADC Manager to prevent certificate warning messages to the users.
  2. Export the CSR to have it signed by the CA using the following command:
    exec certificate local export tftp <cert_name> <file_name> <IP_of_TFTP_server>
    The "cert_name" is the name used in Step 1. "file_name" is the name of the file as it will be on the TFTP server directory. Typically with a .csr or .pem suffix.
  3. Import the signed certificate in the FortiADC-CM using the following command:
    exec certificate local import tftp <file_name> <IP_of_TFTP_server>
    The "file_name" is the name of the file on the TFTP server. FortiADC Manager will automatically map it to the corresponding CSR generated in step 1.
  4. (optional) If the certificate is signed by a CA intermediate in one or multiple steps to the Root CA trusted by the clients, the intermediate CA certificates need to be imported for FortiADC Manager to be able to provide them on TLS connection establishment.
    • Import the intermediate certificate(s) using the following command:

      exec certificate intermediate_ca import tftp <intermediate_file_name> <IP_of_TFTP_server>

      The "intermediate_file_name" is the name of the intermediate CA as read from the TFTP server. This, without the filename suffix, will also be the name of the Intermediate cert object in FortiADC Manager's CLI.

    • Repeat the above step until all the intermediate CA certificates are imported.

    • Create an intermediate CA group. The following code adds two intermediate CAs in the group. This is just an example. You can add more or less as you desire.

      config system certificate intermediate_ca_group

      edit <myGroupName>

      config group_member

      edit 1

      set ca <name_of_first_intermediate_CA_cert>

      next

      edit 2

      set ca <name_of_second_intermediate_CA_cert>

      next

      end

      end

  5. Activate the Intermediate CA cert group and the custom certificate to be used by the HTTPS server on FortiADC Manager:

    config system global

    set default-certificate <cert_name>

    set default-intermediate-ca-group <myGroupName>

    end

    The "<cert_name>" is the one used in step 1, and "myGroupName" is the one set in step 4.

 

Option 2: Importing both certificate and private key from external location

In this option, you import both the certificate and private key externally.

  1. Create the certificate and key object using the following command.
    Use quotation marks to start and end multi-line input. A multi-line certificate can be pasted in one-go when quotation marks are used correctly.
    Important: The private key needs to be in unencrypted PEM format, and will later be encrypted for storage on the FortiADC Manager.

    config system certificate local

    edit <cert_name>

    set private-key "-----BEGIN RSA PRIVATE KEY-----

    >

    >

    > -----END CERTIFICATE-----"

    set certificate "-----BEGIN CERTIFICATE-----

    >

    >

    > -----END CERTIFICATE-----"

    end

    end

    The certifciate is now created/imported including its private key.

  2. (optionally) Refer to step 4 in Option 1 if you need to import intermediate CAs
  3. Activate the certificate as introduced in step 5 of Option 1.

Importing certificates for GUI access

To use a customized certificate for FortiADC Manager's GUI access, use either of the following two options to import the certificate.

 

Option 1: Importing the certificate from external location

Generate a Certificate Signing Request (CSR) on FortiADC Manager, and have it signed by a trusted Certification Authority (CA). This is done using a private key generated on FortiADC Manager during the CSR generation process.

  1. Generate the CSR with the following command:
    exec certificate local generate <cert_name>...
    The "cert_name" above is the administrative name of the certificate object in FortiADC Manager. Use tab and ? to discover all the options and parameters for the CSR. The "subject" should match the hostname (or possibly the IP address) used to access FortiADC Manager to prevent certificate warning messages to the users.
  2. Export the CSR to have it signed by the CA using the following command:
    exec certificate local export tftp <cert_name> <file_name> <IP_of_TFTP_server>
    The "cert_name" is the name used in Step 1. "file_name" is the name of the file as it will be on the TFTP server directory. Typically with a .csr or .pem suffix.
  3. Import the signed certificate in the FortiADC-CM using the following command:
    exec certificate local import tftp <file_name> <IP_of_TFTP_server>
    The "file_name" is the name of the file on the TFTP server. FortiADC Manager will automatically map it to the corresponding CSR generated in step 1.
  4. (optional) If the certificate is signed by a CA intermediate in one or multiple steps to the Root CA trusted by the clients, the intermediate CA certificates need to be imported for FortiADC Manager to be able to provide them on TLS connection establishment.
    • Import the intermediate certificate(s) using the following command:

      exec certificate intermediate_ca import tftp <intermediate_file_name> <IP_of_TFTP_server>

      The "intermediate_file_name" is the name of the intermediate CA as read from the TFTP server. This, without the filename suffix, will also be the name of the Intermediate cert object in FortiADC Manager's CLI.

    • Repeat the above step until all the intermediate CA certificates are imported.

    • Create an intermediate CA group. The following code adds two intermediate CAs in the group. This is just an example. You can add more or less as you desire.

      config system certificate intermediate_ca_group

      edit <myGroupName>

      config group_member

      edit 1

      set ca <name_of_first_intermediate_CA_cert>

      next

      edit 2

      set ca <name_of_second_intermediate_CA_cert>

      next

      end

      end

  5. Activate the Intermediate CA cert group and the custom certificate to be used by the HTTPS server on FortiADC Manager:

    config system global

    set default-certificate <cert_name>

    set default-intermediate-ca-group <myGroupName>

    end

    The "<cert_name>" is the one used in step 1, and "myGroupName" is the one set in step 4.

 

Option 2: Importing both certificate and private key from external location

In this option, you import both the certificate and private key externally.

  1. Create the certificate and key object using the following command.
    Use quotation marks to start and end multi-line input. A multi-line certificate can be pasted in one-go when quotation marks are used correctly.
    Important: The private key needs to be in unencrypted PEM format, and will later be encrypted for storage on the FortiADC Manager.

    config system certificate local

    edit <cert_name>

    set private-key "-----BEGIN RSA PRIVATE KEY-----

    >

    >

    > -----END CERTIFICATE-----"

    set certificate "-----BEGIN CERTIFICATE-----

    >

    >

    > -----END CERTIFICATE-----"

    end

    end

    The certifciate is now created/imported including its private key.

  2. (optionally) Refer to step 4 in Option 1 if you need to import intermediate CAs
  3. Activate the certificate as introduced in step 5 of Option 1.