Fortinet Document Library

Version:


Table of Contents

New Features

6.2.0
Download PDF
Copy Link

FortiGate-VM Unique Certificate

To safeguard against certificate compromise, FortiGate VM and FortiAnalyzer VM allow the same deployment model as FortiManager VM whereby the license file contains a unique certificate tied to the virtual device's serial number.

A hardware appliance usually comes with a BIOS certificate with a unify serial number that identifies the hardware appliance. This built-in BIOS certificate is different from a firmware certificate. A firmware certificate is distributed in all appliances with the same firmware version.

Using a BIOS certificate with a built-in serial number provides a high trust level for the other side in X.509 authentication.

Since a VM appliance has no BIOS certificate, a signed VM license can provide an equivalent of a BIOS certificate. The VM license assigns a serial number in the BIOS equivalent certificate, which gives the certificate with an abstract access ability, i.e., the same as a BIOS certificate with the same high trust level.

Note

Only new, registered VM licenses support this feature.

Sample configuration

Depending on the firmware version and VM license, check the following sample configurations.

If you are using new firmware (6.2.0) with a new VM license, verify VM license can be validated and the certificates Fortinet_Factory and Fortinet_Factory_Backup CN are changed to the FortiGate VM serial number.

If you are using new firmware (6.2.0) with an old VM license, verify VM license can be validated and the certificates Fortinet_Factory and Fortinet_Factory_Backup CN are kept as CN = FortiGate and not changed to the serial number.

If you are using old firmware (6.0.2) with a new VM license, verify VM license can be validated and the certificates Fortinet_Factory and Fortinet_Factory_Backup CN are kept as CN = FortiGate and not changed to the serial number.

FortiGate-VM Unique Certificate

To safeguard against certificate compromise, FortiGate VM and FortiAnalyzer VM allow the same deployment model as FortiManager VM whereby the license file contains a unique certificate tied to the virtual device's serial number.

A hardware appliance usually comes with a BIOS certificate with a unify serial number that identifies the hardware appliance. This built-in BIOS certificate is different from a firmware certificate. A firmware certificate is distributed in all appliances with the same firmware version.

Using a BIOS certificate with a built-in serial number provides a high trust level for the other side in X.509 authentication.

Since a VM appliance has no BIOS certificate, a signed VM license can provide an equivalent of a BIOS certificate. The VM license assigns a serial number in the BIOS equivalent certificate, which gives the certificate with an abstract access ability, i.e., the same as a BIOS certificate with the same high trust level.

Note

Only new, registered VM licenses support this feature.

Sample configuration

Depending on the firmware version and VM license, check the following sample configurations.

If you are using new firmware (6.2.0) with a new VM license, verify VM license can be validated and the certificates Fortinet_Factory and Fortinet_Factory_Backup CN are changed to the FortiGate VM serial number.

If you are using new firmware (6.2.0) with an old VM license, verify VM license can be validated and the certificates Fortinet_Factory and Fortinet_Factory_Backup CN are kept as CN = FortiGate and not changed to the serial number.

If you are using old firmware (6.0.2) with a new VM license, verify VM license can be validated and the certificates Fortinet_Factory and Fortinet_Factory_Backup CN are kept as CN = FortiGate and not changed to the serial number.