Fortinet black logo

Administration Guide

Home FortiIsolator 2.4.0 Administration Guide
2.4.0
2.4.4
2.4.3
2.4.2
2.4.1
2.4.0
2.3.4
2.3.1
2.3.0
2.2.0
2.1.2
2.1.1
2.1.0
2.0.1
2.0.0
1.2.2
1.2.1
1.2.0
1.1.0

Certificates

Certificates

The FortiIsolator allows users to use self-signed SSL certificates for a specific server or website. Generally, self-signed certificates are very specific and often used for an internal enterprise network. In this page you can import certificates for different purposes.

Note

FortiIsolator only supports “Base-64 encoded X.509 (.CER)” format certificates.
To import a certificate:
  1. Go to System > Certificates. The page shows the types of certificates that you can import.
  2. Click Import in the toolbar. The Import Certificate page opens.
  3. Specify Certificate Name.
  4. Under Type, select the type of certificate you are importing.

    Option

    Certificate Type

    Description

    LOCAL_CERT

    Local Certificate

    This option allows users to import a customized local certificate to replace the built-in Isolator CA Certificate. If no local certificate is available, FortiIsolator uses the built-in Isolator CA Certificate.

    SAML_CERT

    SAML Certificate

    Certificate for single-sign-on which is created in LDAP Server > SAML Server.

    SELF SIGNED CA ROOT CERT

    Self Signed CA root Certificate

    		This option allows the user to upload a self-signed CA root Certificate, which is the origin of a certificate chain that all subordinate certificates stem from. A root_ca.crt file should be uploaded here.
    Note

    The certificate chain must be complete for the certificate to work. You must also upload the relevant subordinate certificates under the INTERMEDIATE CA CERT option.

    INTERMEDIATE CA CERT

    Intermediate CA Certificate

    This option allows the user to upload subordinate certificates of the root certificate on the FortiIsolator. Subordinate certificates must be uploaded along with the trusted root certificate (root_ca.crt) and upper level subordinate certificates (sub_ca.crt) in the certificate chain, along with the key files (sub_ca.key) if necessary. When the certificate chain is complete, which means the root certificate and all relevant subordinate certificates are uploaded, the user only needs to import the lowest level subordinate certificate in the browser.

    SELF SIGNED SERVER CERT

    Self-signed Server Certificate

    A standalone certificate used by the original issuer to verify if a site is legitimate.

  5. Enable the PKCS12 Format checkbox if it is a PKCS12 certificate.
  6. Click Choose File to upload a certificate file.
  7. Click Choose file to upload a key file.
  8. Enter the password of the certificate.
  9. Click OK to return to the certificates list.
  10. (Optional) Select the row of the certificate type and click View to verify the certificate details.
To view a certificate's details:
  1. Go to System > Certificates.
  2. Select the certificates you need to see details about.
  3. Click View.
To delete a certificate:
  1. Go to System > Certificates.
  2. Select the certificate you need to delete.
  3. Click Delete in the toolbar.
  4. Click OK in the confirmation dialog box to delete the selected certificate.
Note

The Isolator CA Certificate is built-in and cannot be deleted. It takes effect when no local certificate is available.
To assign a certificate to user’s profile:
  1. Go to Policies and Profile > Profile.
  2. Select Isolator profile and Edit.
  3. On the bottom of the page, next to Certificates, select the certificate that you just imported and click OK.
  4. Go to Policies and Profile > Default Policy, select the profile for Default Isolator Profile, and click OK.
Note

If a self-signed SSL certificate is a certificate chain that contains a root certificate and subordinate certificates, both the root certificate and all subordinate certificates must be imported into the FortiIsolator and selected in the user’s profile.
To regenerate a FortiIsolator CA Certificate:
  1. Go to Dashboard > FortiIsolator CA Certificate.
  2. Click Backup/Retore.
  3. Proceed with either of the following options, depending on the type of certificate you are regenerating:
    • To generate a certificate with the default settings, click the link in Click here to generate Default CA certificate. The FortiIsolator reboots, which takes a few minutes.
    • To generate a certificate with customized settings, click the link in Click here to generate CA certificate. Specify the settings and click OK.
Note

Once a FortiIsolator certificate has been generated or re-generated, it will replace the existing one.

Previous
Next

Certificates

The FortiIsolator allows users to use self-signed SSL certificates for a specific server or website. Generally, self-signed certificates are very specific and often used for an internal enterprise network. In this page you can import certificates for different purposes.

Note

FortiIsolator only supports “Base-64 encoded X.509 (.CER)” format certificates.
To import a certificate:
  1. Go to System > Certificates. The page shows the types of certificates that you can import.
  2. Click Import in the toolbar. The Import Certificate page opens.
  3. Specify Certificate Name.
  4. Under Type, select the type of certificate you are importing.

    Option

    Certificate Type

    Description

    LOCAL_CERT

    Local Certificate

    This option allows users to import a customized local certificate to replace the built-in Isolator CA Certificate. If no local certificate is available, FortiIsolator uses the built-in Isolator CA Certificate.

    SAML_CERT

    SAML Certificate

    Certificate for single-sign-on which is created in LDAP Server > SAML Server.

    SELF SIGNED CA ROOT CERT

    Self Signed CA root Certificate

    		This option allows the user to upload a self-signed CA root Certificate, which is the origin of a certificate chain that all subordinate certificates stem from. A root_ca.crt file should be uploaded here.
    Note

    The certificate chain must be complete for the certificate to work. You must also upload the relevant subordinate certificates under the INTERMEDIATE CA CERT option.

    INTERMEDIATE CA CERT

    Intermediate CA Certificate

    This option allows the user to upload subordinate certificates of the root certificate on the FortiIsolator. Subordinate certificates must be uploaded along with the trusted root certificate (root_ca.crt) and upper level subordinate certificates (sub_ca.crt) in the certificate chain, along with the key files (sub_ca.key) if necessary. When the certificate chain is complete, which means the root certificate and all relevant subordinate certificates are uploaded, the user only needs to import the lowest level subordinate certificate in the browser.

    SELF SIGNED SERVER CERT

    Self-signed Server Certificate

    A standalone certificate used by the original issuer to verify if a site is legitimate.

  5. Enable the PKCS12 Format checkbox if it is a PKCS12 certificate.
  6. Click Choose File to upload a certificate file.
  7. Click Choose file to upload a key file.
  8. Enter the password of the certificate.
  9. Click OK to return to the certificates list.
  10. (Optional) Select the row of the certificate type and click View to verify the certificate details.
To view a certificate's details:
  1. Go to System > Certificates.
  2. Select the certificates you need to see details about.
  3. Click View.
To delete a certificate:
  1. Go to System > Certificates.
  2. Select the certificate you need to delete.
  3. Click Delete in the toolbar.
  4. Click OK in the confirmation dialog box to delete the selected certificate.
Note

The Isolator CA Certificate is built-in and cannot be deleted. It takes effect when no local certificate is available.
To assign a certificate to user’s profile:
  1. Go to Policies and Profile > Profile.
  2. Select Isolator profile and Edit.
  3. On the bottom of the page, next to Certificates, select the certificate that you just imported and click OK.
  4. Go to Policies and Profile > Default Policy, select the profile for Default Isolator Profile, and click OK.
Note

If a self-signed SSL certificate is a certificate chain that contains a root certificate and subordinate certificates, both the root certificate and all subordinate certificates must be imported into the FortiIsolator and selected in the user’s profile.
To regenerate a FortiIsolator CA Certificate:
  1. Go to Dashboard > FortiIsolator CA Certificate.
  2. Click Backup/Retore.
  3. Proceed with either of the following options, depending on the type of certificate you are regenerating:
    • To generate a certificate with the default settings, click the link in Click here to generate Default CA certificate. The FortiIsolator reboots, which takes a few minutes.
    • To generate a certificate with customized settings, click the link in Click here to generate CA certificate. Specify the settings and click OK.
Note

Once a FortiIsolator certificate has been generated or re-generated, it will replace the existing one.

Previous
Next