Fortinet black logo

Cookbook

FortiGate — VM unique certificate

Copy Link
Copy Doc ID fed12558-14f5-11e9-b86b-00505692583a:399129
Download PDF

FortiGate — VM unique certificate

To safeguard against certificate compromise, FortiGate VM and FortiAnalyzer VM use the same deployment model as FortiManager VM where the license file contains a unique certificate tied to the serial number of the virtual device.

A hardware appliance usually comes with a BIOS certificate with a unique serial number that identifies the hardware appliance. This built-in BIOS certificate is different from a firmware certificate. A firmware certificate is distributed in all appliances with the same firmware version.

Using a BIOS certificate with a built-in serial number provides a high trust level for the other side in X.509 authentication.

Since a VM appliance has no BIOS certificate, a signed VM license can provide an equivalent of a BIOS certificate. The VM license assigns a serial number in the BIOS equivalent certificate. This gives the certificate an abstract access ability, which is similar to a BIOS certificate with the same high trust level.

Note

This feature is only supported in new, registered VM licenses.

Sample configurations

Depending on the firmware version and VM license, the common name (CN) on the certificate will be configured differently.

To view validated certificates:
  1. Go to System > Certificates.
  2. Double-click on a VM certificate. There are two VM certificates:
    • Fortinet_Factory
    • Fortinet_Factory_Backup

    The Certificate Detail Information window displays.

    • If you are using new firmware (6.2.0 and later) with a new VM license, the CN becomes the FortiGate VM serial number.

    • If you are using new firmware (6.2.0) with an old VM license, the CN remains as FortiGate. It does not change to the VM serial number.

    • If you are using old firmware (6.0.2) with a new VM license, the CN remains as FortiGate.

FortiGate — VM unique certificate

To safeguard against certificate compromise, FortiGate VM and FortiAnalyzer VM use the same deployment model as FortiManager VM where the license file contains a unique certificate tied to the serial number of the virtual device.

A hardware appliance usually comes with a BIOS certificate with a unique serial number that identifies the hardware appliance. This built-in BIOS certificate is different from a firmware certificate. A firmware certificate is distributed in all appliances with the same firmware version.

Using a BIOS certificate with a built-in serial number provides a high trust level for the other side in X.509 authentication.

Since a VM appliance has no BIOS certificate, a signed VM license can provide an equivalent of a BIOS certificate. The VM license assigns a serial number in the BIOS equivalent certificate. This gives the certificate an abstract access ability, which is similar to a BIOS certificate with the same high trust level.

Note

This feature is only supported in new, registered VM licenses.

Sample configurations

Depending on the firmware version and VM license, the common name (CN) on the certificate will be configured differently.

To view validated certificates:
  1. Go to System > Certificates.
  2. Double-click on a VM certificate. There are two VM certificates:
    • Fortinet_Factory
    • Fortinet_Factory_Backup

    The Certificate Detail Information window displays.

    • If you are using new firmware (6.2.0 and later) with a new VM license, the CN becomes the FortiGate VM serial number.

    • If you are using new firmware (6.2.0) with an old VM license, the CN remains as FortiGate. It does not change to the VM serial number.

    • If you are using old firmware (6.0.2) with a new VM license, the CN remains as FortiGate.