Local certificates
The FortiAnalyzer unit generates a certificate request based on the information you enter to identify the FortiAnalyzer unit. After you generate a certificate request, you can download the request to a computer that has management access to the FortiAnalyzer unit and then forward the request to a CA.
The certificate window also enables you to export certificates for authentication, importing, and viewing.
The FortiAnalyzer has one default local certificate: Fortinet_Local.
You can manage local certificates from the System Settings > Certificates > Local Certificates page. Some options are available in the toolbar and some are also available in the right-click menu.
In order to safeguard against compromise, in FortiAnalyzer 7.0.10, FAZ-VM license files contain a unique certificate which is tied to the device's serial number. |
Creating a local certificate
To create a certificate request:
- Go to System Settings > Certificates > Local Certificates.
- Click Create New in the toolbar. The Generate Certificate Signing Request pane opens.
- Enter the following information as required, then click OK to save the certificate request:
Certificate Name
The name of the certificate.
Subject Information
Select the ID type from the dropdown list:
- Host IP: Select if the unit has a static IP address. Enter the public IP address of the unit in the Host IP field.
- Domain Name: Select if the unit has a dynamic IP address and subscribes to a dynamic DNS service. Enter the domain name of the unit in the Domain Name field.
- Email: Select to use an email address. Enter the email address in the Email Address field.
Optional Information
Organization Unit (OU)
The name of the department. You can enter a series of OUs up to a maximum of 5. To add or remove an OU, use the plus (+) or minus (-) icons.
Organization (O)
Legal name of the company or organization.
Locality (L)
Name of the city or town where the device is installed.
State/Province (ST)
Name of the state or province where the FortiGate unit is installed.
Country (C)
Select the country where the unit is installed from the dropdown list.
E-mail Address (EA)
Contact email address.
Subject Alternative Name
Optionally, enter one or more alternative names for which the certificate is also valid. Separate names with a comma.
A name can be:
- e-mail address
- IP address
- URI
- DNS name (alternatives to the Common Name)
- directory name (alternatives to the Distinguished Name)
You must precede the name with the name type. Examples:
- IP:1.1.1.1
- email:test@fortinet.com
- email:my@other.address
- URI:http://my.url.here/
Key Type
The key type can be RSA or Elliptic Curve.
Key Size
Select the key size from the dropdown list: 512 Bit, 1024 Bit, 1536 Bit, or 2048 Bit. This option is only available when the key type is RSA.
Curve Name
Select the curve name from the dropdown list: secp256r1 (default), secp384r1, or secp521r1. This option is only available when the key type is Elliptic Curve.
Enrollment Method
The enrollment method is set to File Based.
Importing local certificates
To import a local certificate:
- Go to System Settings > Certificates > Local Certificates.
- Click Import in the toolbar or right-click and select Import. The Import dialog box opens.
- Enter the following information as required, then click OK to import the local certificate:
Type
Select the certificate type from the dropdown list: Local Certificate, PKCS #12 Certificate, or Certificate.
Certificate File
Click Browse... and locate the certificate file on the management computer, or drag and drop the file onto the dialog box.
Key File
Click Browse... and locate the key file on the management computer, or drag and drop the file onto the dialog box.
This option is only available when Type is Certificate.
Password
Enter the certificate password.
This option is only available when Type is PKCS #12 Certificate or Certificate.
Certificate Name
Enter the certificate name.
This option is only available when Type is PKCS #12 Certificate or Certificate.
Deleting local certificates
To delete a local certificate or certificates:
- Go to System Settings > Certificates > Local Certificates.
- Select the certificate or certificates you need to delete.
- Click Delete in the toolbar, or right-click and select Delete.
- Click OK in the confirmation dialog box to delete the selected certificate or certificates.
Viewing details of local certificates
To view details of a local certificate:
- Go to System Settings > Certificates > Local Certificates.
- Select the certificates that you would like to see details about, then click View Certificate Detail in the toolbar or right-click menu. The View Local Certificate page opens.
- Click OK to return to the local certificates list.
Downloading local certificates
To download a local certificate:
- Go to System Settings > Certificates > Local Certificates.
- Select the certificate that you need to download.
- Click Download in the toolbar, or right-click and select Download, and save the certificate to the management computer.
When an object is added to a policy package and assigned to an ADOM, the object is available in all devices that are part of the ADOM. If the object is renamed on a device locally, FortiManager automatically syncs the renamed object to the ADOM. |