Fortinet black logo

New Features

Allow FortiClient EMS connectors to trust EMS server certificate renewals based on the CN field 7.2.4

Copy Link
Copy Doc ID 77966226-6996-11ec-bdf2-fa163e15d75b:78058
Download PDF

Allow FortiClient EMS connectors to trust EMS server certificate renewals based on the CN field 7.2.4

Note

This information is also available in the FortiOS 7.2 Administration Guide:

When a FortiGate establishes a Fabric connection with FortiClient EMS, the FortiGate must trust the CA that signed the server certificate. Previously, upon the user's approval of the certificate, the certificate fingerprint was saved on the FortiGate. This required the FortiGate to re-authorize the EMS connection each time the server certificate is updated. With this enhancement, upon the approval of the EMS certificate, the FortiGate saves the CN field and will trust future certificates that are signed by the same CA and have the same CN field. This allows EMS servers to update their certificates at regular intervals without requiring re-authorization on the FortiGate side, as long as the CN field matches. This prevents interruptions to the EMS Fabric connection when a certificate is updated.

config endpoint-control fctems
    edit <id>
        set trust-ca-cn {enable | disable}
    next
end

This feature is supported for EMS on-premise and cloud connections, and is the new default setting. To authorize based on the certificate fingerprint, disable the trust-ca-cn setting. If the setting is changed back to be enabled at a later time, the user will have to re-approve the EMS certificate.

To configure the EMS Fabric connector to trust EMS server certificate renewals based on the CN field:
config endpoint-control fctems
    edit 1
        set status enable
        set name "ems133"
        set dirty-reason none
        set fortinetone-cloud-authentication disable
        set server "172.18.62.35"
        set https-port 443
        set serial-number "FCTEMS8822000000"
        set tenant-id "00000000000000000000000000000000"
        set source-ip 0.0.0.0
        set pull-sysinfo enable
        set pull-vulnerabilities enable
        set pull-avatars enable
        set pull-tags enable
        set pull-malware-hash enable
        set capabilities fabric-auth silent-approval websocket websocket-malware push-ca-certs common-tags-api tenant-id
        set call-timeout 30
        set out-of-sync-threshold 180
        set websocket-override disable
        set preserve-ssl-session disable
        set interface-select-method auto
        set trust-ca-cn enable
    next
end
To verify the configuration:
  1. Download the FortiGate configuration file.

  2. Verify the ca-cn-info entry, which lists the trusted CA certificate information. In this example, ems133 connector has trust-ca-cn enabled and ems138 connector has trust-ca-cn disabled. For ems138, the ca-cn-info entry does not appear, and there is a certificate-fingerprint field instead:

    config endpoint-control fctems
        edit 1
            set status enable
            set name "ems133"
            set server "172.18.62.35"
            set serial-number "FCTEMS8822000000"
            set tenant-id "00000000000000000000000000000000"
            set capabilities fabric-auth silent-approval websocket websocket-malware push-ca-certs common-tags-api tenant-id
            set ca-cn-info "C = CA, ST = BC, L = VANCOUVER, O = FTNT, OU = ReleaseQA, CN = Release_QA, emailAddress = ********@fortinet.comRelease_QA"
        next
        edit 2
            set status enable
            set name "ems138"
            set server "172.18.62.18"
            set serial-number "FCTEMS8821000000"
            set tenant-id "00000000000000000000000000000000"
            set capabilities fabric-auth silent-approval websocket websocket-malware push-ca-certs common-tags-api tenant-id
            set certificate-fingerprint "18:51:76:67:EB:4C:31:A1:51:3F:74:F7:8E:1D:47:5C:18:0F:FE:45:DF:52:91:52:37:0B:27:E7:F1:85:5B:01:8C:7D:FB:2D:C7:D2:CC:FE:4A:E3:0E:A9:2A:1C:27:4D:D2:A6:C5:87:B8:97:98:57:75:10:15:28:EF:A2:23:7C"
            set trust-ca-cn disable
        next
        ...
    end
  3. Run diagnostics to view the certificate information:

    # diagnose test application fcnacd 96
    ems_id 1, certificate authority and common name: C = CA, ST = BC, L = VANCOUVER, O = FTNT, OU = ReleaseQA, CN = Release_QA, emailAddress = ********@fortinet.comRelease_QA
    ems_id 1, fingerprint_sha512: 
    ems_id 2, certificate authority and common name: 
    ems_id 2, fingerprint_sha512: 18:51:76:67:EB:4C:31:A1:51:3F:74:F7:8E:1D:47:5C:18:0F:FE:45:DF:52:91:52:37:0B:27:E7:F1:85:5B:01:8C:7D:FB:2D:C7:D2:CC:FE:4A:E3:0E:A9:2A:1C:27:4D:D2:A6:C5:87:B8:97:98:57:75:10:15:28:EF:A2:23:7C

Allow FortiClient EMS connectors to trust EMS server certificate renewals based on the CN field 7.2.4

Note

This information is also available in the FortiOS 7.2 Administration Guide:

When a FortiGate establishes a Fabric connection with FortiClient EMS, the FortiGate must trust the CA that signed the server certificate. Previously, upon the user's approval of the certificate, the certificate fingerprint was saved on the FortiGate. This required the FortiGate to re-authorize the EMS connection each time the server certificate is updated. With this enhancement, upon the approval of the EMS certificate, the FortiGate saves the CN field and will trust future certificates that are signed by the same CA and have the same CN field. This allows EMS servers to update their certificates at regular intervals without requiring re-authorization on the FortiGate side, as long as the CN field matches. This prevents interruptions to the EMS Fabric connection when a certificate is updated.

config endpoint-control fctems
    edit <id>
        set trust-ca-cn {enable | disable}
    next
end

This feature is supported for EMS on-premise and cloud connections, and is the new default setting. To authorize based on the certificate fingerprint, disable the trust-ca-cn setting. If the setting is changed back to be enabled at a later time, the user will have to re-approve the EMS certificate.

To configure the EMS Fabric connector to trust EMS server certificate renewals based on the CN field:
config endpoint-control fctems
    edit 1
        set status enable
        set name "ems133"
        set dirty-reason none
        set fortinetone-cloud-authentication disable
        set server "172.18.62.35"
        set https-port 443
        set serial-number "FCTEMS8822000000"
        set tenant-id "00000000000000000000000000000000"
        set source-ip 0.0.0.0
        set pull-sysinfo enable
        set pull-vulnerabilities enable
        set pull-avatars enable
        set pull-tags enable
        set pull-malware-hash enable
        set capabilities fabric-auth silent-approval websocket websocket-malware push-ca-certs common-tags-api tenant-id
        set call-timeout 30
        set out-of-sync-threshold 180
        set websocket-override disable
        set preserve-ssl-session disable
        set interface-select-method auto
        set trust-ca-cn enable
    next
end
To verify the configuration:
  1. Download the FortiGate configuration file.

  2. Verify the ca-cn-info entry, which lists the trusted CA certificate information. In this example, ems133 connector has trust-ca-cn enabled and ems138 connector has trust-ca-cn disabled. For ems138, the ca-cn-info entry does not appear, and there is a certificate-fingerprint field instead:

    config endpoint-control fctems
        edit 1
            set status enable
            set name "ems133"
            set server "172.18.62.35"
            set serial-number "FCTEMS8822000000"
            set tenant-id "00000000000000000000000000000000"
            set capabilities fabric-auth silent-approval websocket websocket-malware push-ca-certs common-tags-api tenant-id
            set ca-cn-info "C = CA, ST = BC, L = VANCOUVER, O = FTNT, OU = ReleaseQA, CN = Release_QA, emailAddress = ********@fortinet.comRelease_QA"
        next
        edit 2
            set status enable
            set name "ems138"
            set server "172.18.62.18"
            set serial-number "FCTEMS8821000000"
            set tenant-id "00000000000000000000000000000000"
            set capabilities fabric-auth silent-approval websocket websocket-malware push-ca-certs common-tags-api tenant-id
            set certificate-fingerprint "18:51:76:67:EB:4C:31:A1:51:3F:74:F7:8E:1D:47:5C:18:0F:FE:45:DF:52:91:52:37:0B:27:E7:F1:85:5B:01:8C:7D:FB:2D:C7:D2:CC:FE:4A:E3:0E:A9:2A:1C:27:4D:D2:A6:C5:87:B8:97:98:57:75:10:15:28:EF:A2:23:7C"
            set trust-ca-cn disable
        next
        ...
    end
  3. Run diagnostics to view the certificate information:

    # diagnose test application fcnacd 96
    ems_id 1, certificate authority and common name: C = CA, ST = BC, L = VANCOUVER, O = FTNT, OU = ReleaseQA, CN = Release_QA, emailAddress = ********@fortinet.comRelease_QA
    ems_id 1, fingerprint_sha512: 
    ems_id 2, certificate authority and common name: 
    ems_id 2, fingerprint_sha512: 18:51:76:67:EB:4C:31:A1:51:3F:74:F7:8E:1D:47:5C:18:0F:FE:45:DF:52:91:52:37:0B:27:E7:F1:85:5B:01:8C:7D:FB:2D:C7:D2:CC:FE:4A:E3:0E:A9:2A:1C:27:4D:D2:A6:C5:87:B8:97:98:57:75:10:15:28:EF:A2:23:7C