FortiGate VM unique certificate
To safeguard against certificate compromise, FortiGate VM and FortiAnalyzer VM use the same deployment model as FortiManager VM where the license file contains a unique certificate tied to the serial number of the virtual device.
A hardware appliance usually comes with a BIOS certificate with a unique serial number that identifies the hardware appliance. This built-in BIOS certificate is different from a firmware certificate. A firmware certificate is distributed in all appliances with the same firmware version.
Using a BIOS certificate with a built-in serial number provides a high trust level for the other side in X.509 authentication.
Since a VM appliance has no BIOS certificate, a signed VM license can provide an equivalent of a BIOS certificate. The VM license assigns a serial number in the BIOS equivalent certificate. This gives the certificate an abstract access ability, which is similar to a BIOS certificate with the same high trust level.
This feature is only supported in new, registered VM licenses. |
Sample configurations
Depending on the firmware version and VM license, the common name (CN) on the certificate will be configured differently.
License |
Firmware |
|||
---|---|---|---|---|
6.0 |
6.2 |
6.4 |
7.0 |
|
6.0 |
CN = FortiGate |
CN = FortiGate |
CN = FortiGate |
CN = FortiGate |
6.2 |
CN = FortiGate |
CN = serial number |
CN = serial number |
CN = serial number |
6.4 |
CN = FortiGate |
CN = serial number |
CN = serial number |
CN = serial number |
7.0 |
CN = FortiGate |
CN = serial number |
CN = serial number |
CN = serial number |
To view validated certificates:
-
Go to System > Certificates.
-
Double-click on a VM certificate. There are two VM certificates:
-
Fortinet_Factory
-
Fortinet_Factory_Backup
The Certificate Detail Information window displays.
-