Fortinet black logo

New Features

Home FortiClient 7.2.0 New Features
7.2.0
7.2.0
7.0.0
6.4.0
6.2.3
6.2.2
6.2.1
6.2.0

Improved certificate UX

Improved certificate UX

EMS 7.2 introduces the certificate management feature to allow you to simply create, store, and use certificates for various EMS services from a centralized page. You can easily see which service uses which certificate and have multiple custom certificates present on EMS simultaneously to use for the different services.

EMS supports the following certificate types:

  • Default
  • FortiCare
  • User-uploaded:
    • PEM
    • DER
    • PKCS12
  • ACME

You can configure a certificate for the following EMS services:

  • Web server
  • Endpoint control
  • Chromebook

The following procedures describe how to configure an ACME certificate or manually upload a certificate to EMS. The other certificate types do not require user upload or configuration. Server Certificates shows the default certificate. If you are logged in to your FortiCloud account, the page also shows FortiCare certificates. You cannot delete the default and FortiCare certificates. When a FortiCloud account is configured, EMS uses the FortiCare certificate by default, and you cannot assign the default certificate to the web server and Chromebook services. You also cannot delete a certificate that is assigned to a service. The Assigned To column indicates which certificate is applied to each service.

This feature is unavailable in FortiClient Cloud.

To configure an automated SSL certificate in EMS:
  1. Go to System Settings > EMS Settings.
  2. Ensure that Remote HTTPS access and Redirect HTTP request to HTTPS are enabled. Externally accessing EMS via ports 80 and 443 using the configured fully qualified domain name (FQDN) is possible.
  3. Add an automated certificate:
    1. Go to System Settings > Server Certificates.
    2. Click Add.
    3. For Type, select Automated.
    4. In the Domain field, enter the EMS FQDN. For the Let's Encrypt server to issue the certificate, the public DNS server must resolve the EMS FQDN to the EMS public IP address.
    5. In the Email field, enter a valid email address.
    6. If desired, enable Auto Renew. When you enable Auto Renew, EMS automatically renews the certificate before expiry.
    7. If desired, expand Advanced to configure a certificate authority (CA) server address and HTTP challenge port to communicate with an alternative public CA.
    8. Select the checkbox to agree to Let's Encrypt's terms of service.
    9. Click Import.
To manually upload an SSL certificate in EMS:
  1. Go to System Settings > Server Certificates.
  2. Click Add.
  3. For Type, select Upload PKCS12 or Upload PEM.
  4. In the Certificate field, browse to and select the desired certificate.
  5. In the Certificate Password field or Private Key field, configure the desired password or private key for the certificate.
  6. Click Upload.

After configuring a certificate, you can assign a certificate to a service by going to System Settings > EMS Settings and selecting the certificate from the Webserver certificate, Endpoint Control certificate, or Chromebook certificate dropdown list.

Previous
Next

Improved certificate UX

EMS 7.2 introduces the certificate management feature to allow you to simply create, store, and use certificates for various EMS services from a centralized page. You can easily see which service uses which certificate and have multiple custom certificates present on EMS simultaneously to use for the different services.

EMS supports the following certificate types:

  • Default
  • FortiCare
  • User-uploaded:
    • PEM
    • DER
    • PKCS12
  • ACME

You can configure a certificate for the following EMS services:

  • Web server
  • Endpoint control
  • Chromebook

The following procedures describe how to configure an ACME certificate or manually upload a certificate to EMS. The other certificate types do not require user upload or configuration. Server Certificates shows the default certificate. If you are logged in to your FortiCloud account, the page also shows FortiCare certificates. You cannot delete the default and FortiCare certificates. When a FortiCloud account is configured, EMS uses the FortiCare certificate by default, and you cannot assign the default certificate to the web server and Chromebook services. You also cannot delete a certificate that is assigned to a service. The Assigned To column indicates which certificate is applied to each service.

This feature is unavailable in FortiClient Cloud.

To configure an automated SSL certificate in EMS:
  1. Go to System Settings > EMS Settings.
  2. Ensure that Remote HTTPS access and Redirect HTTP request to HTTPS are enabled. Externally accessing EMS via ports 80 and 443 using the configured fully qualified domain name (FQDN) is possible.
  3. Add an automated certificate:
    1. Go to System Settings > Server Certificates.
    2. Click Add.
    3. For Type, select Automated.
    4. In the Domain field, enter the EMS FQDN. For the Let's Encrypt server to issue the certificate, the public DNS server must resolve the EMS FQDN to the EMS public IP address.
    5. In the Email field, enter a valid email address.
    6. If desired, enable Auto Renew. When you enable Auto Renew, EMS automatically renews the certificate before expiry.
    7. If desired, expand Advanced to configure a certificate authority (CA) server address and HTTP challenge port to communicate with an alternative public CA.
    8. Select the checkbox to agree to Let's Encrypt's terms of service.
    9. Click Import.
To manually upload an SSL certificate in EMS:
  1. Go to System Settings > Server Certificates.
  2. Click Add.
  3. For Type, select Upload PKCS12 or Upload PEM.
  4. In the Certificate field, browse to and select the desired certificate.
  5. In the Certificate Password field or Private Key field, configure the desired password or private key for the certificate.
  6. Click Upload.

After configuring a certificate, you can assign a certificate to a service by going to System Settings > EMS Settings and selecting the certificate from the Webserver certificate, Endpoint Control certificate, or Chromebook certificate dropdown list.

Previous
Next