Certificates serve three primary purposes:
The Common Name (CN) and/or Subject Alternative Name (SAN) fields are used to identify the device that the certificate is representing.
Encryption and decryption
Private and public key pairs are used to encrypt and decrypt traffic.
Messages are hashed using a secret key known to both the sender and the receiver. The receiver uses the key to check the hash value and confirm the message's data integrity and authenticity.
Certificate based authentication has several advantages over password based authentication. While password based authentication relies on secrets that are defined and managed by a user, certificate based authentication uses secrets that are issued and managed by the certificate authority. Certificates are more secure than passwords, because the private key in the certificate has high cryptographic strength, which a user defined password does not usually have.
The CA vouches for the certificates that it signs. If the endpoint has the CA root certificate installed, then it trusts the CA and anything that the CA signs. There are three types of CAs:
Public, or well-known, CAs charge a fee to sign your certificate. Many systems come with these CA root certificates pre-installed.
Let's Encrypt is a free, automated, and open CA. FortiGate includes an Automated Certificate Management Environment (ACME) to directly interact with Let's Encrypt. Some legacy systems might not have the Let's Encrypt CA root certificate installed.
Private CAs are created by an organization that creates its own local CA instead of using an external CA. It functions the same as a public CA, but the root certificate is not pre-installed on anything. FortiAuthenticator, Microsoft Server, OpenSSL, and XCA can all function as CAs.
Regardless of what kind of CA is used, involved devices must have the CA root certificate installed in order to trust the certificate that it signs.