Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    Home FortiADC 6.2.1 Handbook
    6.2.1
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.1
    6.0.0
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.6
    5.3.5
    5.3.4
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.2.7

    Importing CAs

    Importing CAs

    The certificate authority (CA) store is used to authenticate the certificates of other devices. When the FortiADC system is presented with a certificate, it examines the CA’s signature, comparing it with the copy of the CA’s certificate already imported into the CA store. If the public key matches the private key, the client's or device’s certificate is considered legitimate.

    In web browsers, the CA store includes trusted root CAs that can be used to establish trust with servers that have certificates signed by the issuing CAs. In an SSL forward proxy deployment, FortiADC acts as a proxy for the client, so you might want to import client browser CAs, create a CA group, and create a certficate verification policy to verify server certificates against this group. You can examine the CA store in common web browsers to come up with a good list of CAs to download and then import. The following list has links for some common web browsers:

    You must do one of the following:

    • Import the certificates of the signing CA and all intermediate CAs to FortiADC’s store of CA certificates.
    • In all personal certificates, include the full signing chain up to a CA that FortiADC knows in order to prove that the clients’ certificates should be trusted.
    • If the signing CA is not known, that CA’s own certificate must likewise be signed by one or more other intermediary CAs, until both the FortiADC appliance and the client or device can demonstrate a signing chain that ultimately leads to a mutually trusted (shared “root”) CA that they have in common. Like a direct signature by a known CA, this proves that the certificate can be trusted.

    Before you begin, you must:

    • Have Read-Write permission for System settings.
    • Know the URL of an SCEP server or have downloaded the certificate and key files and be able to browse to them so that you can upload them.
    To import a CA:
    1. Go to System > Certificate > Verify.
    2. Click the CA tab.
    3. Click Import to display the configuration editor.
    4. Complete the configuration as described in CA import configuration.
    5. Click Save when done.
    6. Repeat Steps 3 through 5 to import as many CAs as needed.

    CA import configuration
    Settings Guidelines
    Certificate Name Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. The maximum length is 35 characters. No space is allowed.
    Import Method
    • SCEP—Use Simple Certificate Enrollment Protocol. SCEP allows routers and other intermediary network devices to obtain certificates.
    • File—Upload a file.
    SCEP
    SCEP URL Enter the URL of the SCEP server.
    CA Identifier Enter the identifier for a specific CA on the SCEP server.
    File
    Local PC Browse for the certificate file on the local machine and upload it to FortiADC.
    Previous
    Next

    Importing CAs

    Importing CAs

    The certificate authority (CA) store is used to authenticate the certificates of other devices. When the FortiADC system is presented with a certificate, it examines the CA’s signature, comparing it with the copy of the CA’s certificate already imported into the CA store. If the public key matches the private key, the client's or device’s certificate is considered legitimate.

    In web browsers, the CA store includes trusted root CAs that can be used to establish trust with servers that have certificates signed by the issuing CAs. In an SSL forward proxy deployment, FortiADC acts as a proxy for the client, so you might want to import client browser CAs, create a CA group, and create a certficate verification policy to verify server certificates against this group. You can examine the CA store in common web browsers to come up with a good list of CAs to download and then import. The following list has links for some common web browsers:

    You must do one of the following:

    • Import the certificates of the signing CA and all intermediate CAs to FortiADC’s store of CA certificates.
    • In all personal certificates, include the full signing chain up to a CA that FortiADC knows in order to prove that the clients’ certificates should be trusted.
    • If the signing CA is not known, that CA’s own certificate must likewise be signed by one or more other intermediary CAs, until both the FortiADC appliance and the client or device can demonstrate a signing chain that ultimately leads to a mutually trusted (shared “root”) CA that they have in common. Like a direct signature by a known CA, this proves that the certificate can be trusted.

    Before you begin, you must:

    • Have Read-Write permission for System settings.
    • Know the URL of an SCEP server or have downloaded the certificate and key files and be able to browse to them so that you can upload them.
    To import a CA:
    1. Go to System > Certificate > Verify.
    2. Click the CA tab.
    3. Click Import to display the configuration editor.
    4. Complete the configuration as described in CA import configuration.
    5. Click Save when done.
    6. Repeat Steps 3 through 5 to import as many CAs as needed.

    CA import configuration
    Settings Guidelines
    Certificate Name Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. The maximum length is 35 characters. No space is allowed.
    Import Method
    • SCEP—Use Simple Certificate Enrollment Protocol. SCEP allows routers and other intermediary network devices to obtain certificates.
    • File—Upload a file.
    SCEP
    SCEP URL Enter the URL of the SCEP server.
    CA Identifier Enter the identifier for a specific CA on the SCEP server.
    File
    Local PC Browse for the certificate file on the local machine and upload it to FortiADC.
    Previous
    Next