Fortinet black logo

Administration Guide

FortiGate VM unique certificate

FortiGate VM unique certificate

To safeguard against certificate compromise, FortiGate VM and FortiAnalyzer VM use the same deployment model as FortiManager VM where the license file contains a unique certificate tied to the serial number of the virtual device.

A hardware appliance usually comes with a BIOS certificate with a unique serial number that identifies the hardware appliance. This built-in BIOS certificate is different from a firmware certificate. A firmware certificate is distributed in all appliances with the same firmware version.

Using a BIOS certificate with a built-in serial number provides a high trust level for the other side in X.509 authentication.

Since a VM appliance has no BIOS certificate, a signed VM license can provide an equivalent of a BIOS certificate. The VM license assigns a serial number in the BIOS equivalent certificate. This gives the certificate an abstract access ability, which is similar to a BIOS certificate with the same high trust level.

Note

This feature is only supported in new, registered VM licenses.

Sample configurations

Depending on the firmware version and VM license, the common name (CN) on the certificate will be configured differently.

License

Firmware

6.0

6.2

6.4

7.0

6.0

CN = FortiGate

CN = FortiGate

CN = FortiGate

CN = FortiGate

6.2

CN = FortiGate

CN = serial number

CN = serial number

CN = serial number

6.4

CN = FortiGate

CN = serial number

CN = serial number

CN = serial number

7.0

CN = FortiGate

CN = serial number

CN = serial number

CN = serial number

To view validated certificates:
  1. Go to System > Certificates.
  2. Double-click on a VM certificate. There are two VM certificates:
    • Fortinet_Factory
    • Fortinet_Factory_Backup

    The Certificate Detail Information window displays.

FortiGate VM unique certificate

To safeguard against certificate compromise, FortiGate VM and FortiAnalyzer VM use the same deployment model as FortiManager VM where the license file contains a unique certificate tied to the serial number of the virtual device.

A hardware appliance usually comes with a BIOS certificate with a unique serial number that identifies the hardware appliance. This built-in BIOS certificate is different from a firmware certificate. A firmware certificate is distributed in all appliances with the same firmware version.

Using a BIOS certificate with a built-in serial number provides a high trust level for the other side in X.509 authentication.

Since a VM appliance has no BIOS certificate, a signed VM license can provide an equivalent of a BIOS certificate. The VM license assigns a serial number in the BIOS equivalent certificate. This gives the certificate an abstract access ability, which is similar to a BIOS certificate with the same high trust level.

Note

This feature is only supported in new, registered VM licenses.

Sample configurations

Depending on the firmware version and VM license, the common name (CN) on the certificate will be configured differently.

License

Firmware

6.0

6.2

6.4

7.0

6.0

CN = FortiGate

CN = FortiGate

CN = FortiGate

CN = FortiGate

6.2

CN = FortiGate

CN = serial number

CN = serial number

CN = serial number

6.4

CN = FortiGate

CN = serial number

CN = serial number

CN = serial number

7.0

CN = FortiGate

CN = serial number

CN = serial number

CN = serial number

To view validated certificates:
  1. Go to System > Certificates.
  2. Double-click on a VM certificate. There are two VM certificates:
    • Fortinet_Factory
    • Fortinet_Factory_Backup

    The Certificate Detail Information window displays.