Allow FortiClient EMS connectors to trust EMS server certificate renewals based on the CN field 7.2.4
This information is also available in the FortiOS 7.2 Administration Guide: |
When a FortiGate establishes a Fabric connection with FortiClient EMS, the FortiGate must trust the CA that signed the server certificate. Previously, upon the user's approval of the certificate, the certificate fingerprint was saved on the FortiGate. This required the FortiGate to re-authorize the EMS connection each time the server certificate is updated. With this enhancement, upon the approval of the EMS certificate, the FortiGate saves the CN field and will trust future certificates that are signed by the same CA and have the same CN field. This allows EMS servers to update their certificates at regular intervals without requiring re-authorization on the FortiGate side, as long as the CN field matches. This prevents interruptions to the EMS Fabric connection when a certificate is updated.
config endpoint-control fctems edit <id> set trust-ca-cn {enable | disable} next end
This feature is supported for EMS on-premise and cloud connections, and is the new default setting. To authorize based on the certificate fingerprint, disable the trust-ca-cn
setting. If the setting is changed back to be enabled at a later time, the user will have to re-approve the EMS certificate.
To configure the EMS Fabric connector to trust EMS server certificate renewals based on the CN field:
config endpoint-control fctems edit 1 set status enable set name "ems133" set dirty-reason none set fortinetone-cloud-authentication disable set server "172.18.62.35" set https-port 443 set serial-number "FCTEMS8822000000" set tenant-id "00000000000000000000000000000000" set source-ip 0.0.0.0 set pull-sysinfo enable set pull-vulnerabilities enable set pull-avatars enable set pull-tags enable set pull-malware-hash enable set capabilities fabric-auth silent-approval websocket websocket-malware push-ca-certs common-tags-api tenant-id set call-timeout 30 set out-of-sync-threshold 180 set websocket-override disable set preserve-ssl-session disable set interface-select-method auto set trust-ca-cn enable next end
To verify the configuration:
-
Download the FortiGate configuration file.
-
Verify the
ca-cn-info
entry, which lists the trusted CA certificate information. In this example, ems133 connector hastrust-ca-cn
enabled and ems138 connector hastrust-ca-cn
disabled. For ems138, theca-cn-info
entry does not appear, and there is acertificate-fingerprint
field instead:config endpoint-control fctems edit 1 set status enable set name "ems133" set server "172.18.62.35" set serial-number "FCTEMS8822000000" set tenant-id "00000000000000000000000000000000" set capabilities fabric-auth silent-approval websocket websocket-malware push-ca-certs common-tags-api tenant-id set ca-cn-info "C = CA, ST = BC, L = VANCOUVER, O = FTNT, OU = ReleaseQA, CN = Release_QA, emailAddress = ********@fortinet.comRelease_QA" next edit 2 set status enable set name "ems138" set server "172.18.62.18" set serial-number "FCTEMS8821000000" set tenant-id "00000000000000000000000000000000" set capabilities fabric-auth silent-approval websocket websocket-malware push-ca-certs common-tags-api tenant-id set certificate-fingerprint "18:51:76:67:EB:4C:31:A1:51:3F:74:F7:8E:1D:47:5C:18:0F:FE:45:DF:52:91:52:37:0B:27:E7:F1:85:5B:01:8C:7D:FB:2D:C7:D2:CC:FE:4A:E3:0E:A9:2A:1C:27:4D:D2:A6:C5:87:B8:97:98:57:75:10:15:28:EF:A2:23:7C" set trust-ca-cn disable next ... end
-
Run diagnostics to view the certificate information:
# diagnose test application fcnacd 96 ems_id 1, certificate authority and common name: C = CA, ST = BC, L = VANCOUVER, O = FTNT, OU = ReleaseQA, CN = Release_QA, emailAddress = ********@fortinet.comRelease_QA ems_id 1, fingerprint_sha512: ems_id 2, certificate authority and common name: ems_id 2, fingerprint_sha512: 18:51:76:67:EB:4C:31:A1:51:3F:74:F7:8E:1D:47:5C:18:0F:FE:45:DF:52:91:52:37:0B:27:E7:F1:85:5B:01:8C:7D:FB:2D:C7:D2:CC:FE:4A:E3:0E:A9:2A:1C:27:4D:D2:A6:C5:87:B8:97:98:57:75:10:15:28:EF:A2:23:7C