Fortinet black logo

Administration Guide

CA certificate

CA certificate

FortiGates come with many CA certificates from well-known certificate authorities pre-installed, just as most modern operating systems like Windows and MacOS. Use this option to add private CA certificates to the FortiGate so that certificates signed by this private CA are trusted by the FortiGate.

For example, a private CA can be used when two FortiGates are establishing a site-to-site VPN tunnel using a certificate not signed by a public or trustworthy CA, or for your LDAPS connection to your corporate AD server that also uses a certificate signed with a private CA in your domain. It is very common to upload a private CA when using PKI user authentication, since most PKI user certificates will be signed by an internal CA.

To import a CA certificate in the GUI:
  1. Go to System > Certificates and select Create/Import > CA Certificate.

  2. Set the Type to Online SCEP or File.

    • Online SCEP: Enter the URL of the SCEP server and optionally, the Optional CA Identifier. The FortiGate contacts an SCEP server to request the CA certificate.

    • File: Upload the CA certificate file directly from the management computer.

  3. Click OK.

To import a CA certificate in the CLI:
# execute vpn certificate ca import auto <CA_server> [identifier] [source_ip] [fingerprint]
# execute vpn certificate ca import bundle <filename> <tftp_IP>
# execute vpn certificate ca import tftp <filename> <server_address>
# execute vpn certificate ems_ca import tftp <filename> <server_address>

auto

Import CA certificate via SCEP.

bundle

Import certificate bundle from a TFTP server.

tftp

Import CA certificate from a TFTP server.

CA certificate

FortiGates come with many CA certificates from well-known certificate authorities pre-installed, just as most modern operating systems like Windows and MacOS. Use this option to add private CA certificates to the FortiGate so that certificates signed by this private CA are trusted by the FortiGate.

For example, a private CA can be used when two FortiGates are establishing a site-to-site VPN tunnel using a certificate not signed by a public or trustworthy CA, or for your LDAPS connection to your corporate AD server that also uses a certificate signed with a private CA in your domain. It is very common to upload a private CA when using PKI user authentication, since most PKI user certificates will be signed by an internal CA.

To import a CA certificate in the GUI:
  1. Go to System > Certificates and select Create/Import > CA Certificate.

  2. Set the Type to Online SCEP or File.

    • Online SCEP: Enter the URL of the SCEP server and optionally, the Optional CA Identifier. The FortiGate contacts an SCEP server to request the CA certificate.

    • File: Upload the CA certificate file directly from the management computer.

  3. Click OK.

To import a CA certificate in the CLI:
# execute vpn certificate ca import auto <CA_server> [identifier] [source_ip] [fingerprint]
# execute vpn certificate ca import bundle <filename> <tftp_IP>
# execute vpn certificate ca import tftp <filename> <server_address>
# execute vpn certificate ems_ca import tftp <filename> <server_address>

auto

Import CA certificate via SCEP.

bundle

Import certificate bundle from a TFTP server.

tftp

Import CA certificate from a TFTP server.