Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • EMS Administration Guide

    Home FortiClient 7.2.4 EMS Administration Guide
    7.2.4
    7.4.1
    7.4.0
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.9
    6.4.8
    6.4.7
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.8
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0

    EMS Server Certificates

    EMS Server Certificates

    You can view and manage certificates from EMS Server Certificates.

    EMS supports the following certificate types:

    Type

    Description

    Default

    EMS uses this certificate when there are no other available certificates. You cannot delete this certificate. Using the other certificate types is recommended. When other certificates are present, you cannot select the default certificate for use.

    Uploaded

    User-uploaded certificates. You can upload certificates in PEM, DER, or PKCS12 format. See Adding an SSL certificate to FortiClient EMS.

    ACME

    The public Let's Encrypt certificate authority uses the Automated Certificate Management Environment (ACME), as defined in RFC 8555 to provide free SSL server certificates. You can configure FortiClient EMS to use certificates that Let's Encrypt manages and other certificate management services that use the ACME protocol. See Adding an SSL certificate to FortiClient EMS.

    FortiCare

    When you apply or renew a license on EMS, EMS retrieves FortiCare-generated certificates with the license information. These certificates are named FCTEMS<serial number>.1.cert and FCTEMS<serial number>.2.cert. While browsers normally do not trust these certificates, they are preferred over the default certificate. In the case that only these certificates and the default certificate are available, EMS uses these certificates, with a preference for .1.cert over .2. cert. You cannot delete these certificates.

    EMS uses certificates for the following services. If EMS is currently using a certificate for a certain service, EMS Server Certificates displays this information in the Assigned To column:

    Service

    Description

    Ports used

    Web server

    Apache service and the Notify (websockets) daemon. This certificate must be trusted by any browser connecting to EMS or a warning is shown.

    You can configure the certificate for this service in System Settings > EMS Settings > Shared Settings. See Configuring EMS settings.

    Apache service:

    • 443 (GUI)
    • 10443 (installers)

    Notify (websockets) daemon: 8015

    Endpoint control

    Endpoint Control daemon.

    You can configure the certificate for this service in System Settings > EMS Settings > Shared Settings. See Configuring EMS settings.

    8013

    Chromebook

    Chromebook daemon.

    You can configure the certificate for this service in System Settings > EMS Settings > EMS for Chromebooks Settings. See Configuring EMS settings.

    8443

    You can delete certificates from EMS Server Certificates. If an ACME certificate is eligible for renewal (within 30 days of expiry), you can also select the certificate to renew it.

    Previous
    Next

    EMS Server Certificates

    EMS Server Certificates

    You can view and manage certificates from EMS Server Certificates.

    EMS supports the following certificate types:

    Type

    Description

    Default

    EMS uses this certificate when there are no other available certificates. You cannot delete this certificate. Using the other certificate types is recommended. When other certificates are present, you cannot select the default certificate for use.

    Uploaded

    User-uploaded certificates. You can upload certificates in PEM, DER, or PKCS12 format. See Adding an SSL certificate to FortiClient EMS.

    ACME

    The public Let's Encrypt certificate authority uses the Automated Certificate Management Environment (ACME), as defined in RFC 8555 to provide free SSL server certificates. You can configure FortiClient EMS to use certificates that Let's Encrypt manages and other certificate management services that use the ACME protocol. See Adding an SSL certificate to FortiClient EMS.

    FortiCare

    When you apply or renew a license on EMS, EMS retrieves FortiCare-generated certificates with the license information. These certificates are named FCTEMS<serial number>.1.cert and FCTEMS<serial number>.2.cert. While browsers normally do not trust these certificates, they are preferred over the default certificate. In the case that only these certificates and the default certificate are available, EMS uses these certificates, with a preference for .1.cert over .2. cert. You cannot delete these certificates.

    EMS uses certificates for the following services. If EMS is currently using a certificate for a certain service, EMS Server Certificates displays this information in the Assigned To column:

    Service

    Description

    Ports used

    Web server

    Apache service and the Notify (websockets) daemon. This certificate must be trusted by any browser connecting to EMS or a warning is shown.

    You can configure the certificate for this service in System Settings > EMS Settings > Shared Settings. See Configuring EMS settings.

    Apache service:

    • 443 (GUI)
    • 10443 (installers)

    Notify (websockets) daemon: 8015

    Endpoint control

    Endpoint Control daemon.

    You can configure the certificate for this service in System Settings > EMS Settings > Shared Settings. See Configuring EMS settings.

    8013

    Chromebook

    Chromebook daemon.

    You can configure the certificate for this service in System Settings > EMS Settings > EMS for Chromebooks Settings. See Configuring EMS settings.

    8443

    You can delete certificates from EMS Server Certificates. If an ACME certificate is eligible for renewal (within 30 days of expiry), you can also select the certificate to renew it.

    Previous
    Next