Fortinet black logo

Certificates

Certificates

Use this page to manage the following types of certificates:

  • Self-signed SSL certificates for a specific server or website, often used for an internal enterprise network

  • Certificates used between FortiIsolator and FortiProxy or SAML servers

For information about FortiIsolator certificates required for access to the FortiIsolator from the browser, see FortiIsolator certificates.

To import a certificate:
  1. Go to System > Certificates. The page shows the types of certificates that you can import.
  2. Click Import in the toolbar. The Import Certificate page opens.
  3. Specify Certificate Name.
  4. Under Type, select the type of certificate you are importing.

    Option

    Certificate Type

    Description

    SAML_CERT

    SAML Certificate

    Certificate for single-sign-on which is created in LDAP Server > SAML Server.

    SELF SIGNED CA ROOT CERT

    Self Signed CA root Certificate

    This option allows the user to upload a self-signed CA root Certificate, which is the origin of a certificate chain that all subordinate certificates stem from. A root_ca.crt file should be uploaded here.
    Note

    The certificate chain must be complete for the certificate to work. You must also upload the relevant subordinate certificates under the INTERMEDIATE CA CERT option.

    INTERMEDIATE CA CERT

    Intermediate CA Certificate

    This option allows the user to upload subordinate certificates of the root certificate on the FortiIsolator. Subordinate certificates must be uploaded along with the trusted root certificate (root_ca.crt) and upper level subordinate certificates (sub_ca.crt) in the certificate chain, along with the key files (sub_ca.key) if necessary. When the certificate chain is complete, which means the root certificate and all relevant subordinate certificates are uploaded, the user only needs to import the lowest level subordinate certificate in the browser.

    SELF SIGNED SERVER CERT

    Self-signed Server Certificate

    A standalone certificate used by the original issuer to verify if a site is legitimate.

  5. Enable the PKCS12 Format checkbox if it is a PKCS12 certificate.
  6. Click Choose File to upload a certificate file.

    Only “Base-64 encoded X.509 (.cer)” format certificates are supported.

  7. Click Choose file to upload a key file.
  8. Enter the password of the certificate.
  9. Click OK to return to the certificates list.
  10. (Optional) Select the row of the certificate type and click View to verify the certificate details.
To delete a certificate:
  1. Go to System > Certificates.
  2. Select the certificate you need to delete.
  3. Click Delete in the toolbar.
  4. Click OK in the confirmation dialog box to delete the selected certificate.
Note

The Isolator CA Certificate is built-in and cannot be deleted. It takes effect when no local certificate is available.

To assign a certificate to user’s profile:
  1. Go to Policies and Profile > Profile.
  2. Select Isolator profile and Edit.
  3. On the bottom of the page, next to Certificates, select the certificate that you just imported and click OK.
  4. Go to Policies and Profile > Default Policy, select the profile for Default Isolator Profile, and click OK.
Note

If a self-signed SSL certificate is a certificate chain that contains a root certificate and subordinate certificates, the root certificate and all subordinate certificates must be imported into the FortiIsolator and selected in the user’s profile.

Certificates

Use this page to manage the following types of certificates:

  • Self-signed SSL certificates for a specific server or website, often used for an internal enterprise network

  • Certificates used between FortiIsolator and FortiProxy or SAML servers

For information about FortiIsolator certificates required for access to the FortiIsolator from the browser, see FortiIsolator certificates.

To import a certificate:
  1. Go to System > Certificates. The page shows the types of certificates that you can import.
  2. Click Import in the toolbar. The Import Certificate page opens.
  3. Specify Certificate Name.
  4. Under Type, select the type of certificate you are importing.

    Option

    Certificate Type

    Description

    SAML_CERT

    SAML Certificate

    Certificate for single-sign-on which is created in LDAP Server > SAML Server.

    SELF SIGNED CA ROOT CERT

    Self Signed CA root Certificate

    This option allows the user to upload a self-signed CA root Certificate, which is the origin of a certificate chain that all subordinate certificates stem from. A root_ca.crt file should be uploaded here.
    Note

    The certificate chain must be complete for the certificate to work. You must also upload the relevant subordinate certificates under the INTERMEDIATE CA CERT option.

    INTERMEDIATE CA CERT

    Intermediate CA Certificate

    This option allows the user to upload subordinate certificates of the root certificate on the FortiIsolator. Subordinate certificates must be uploaded along with the trusted root certificate (root_ca.crt) and upper level subordinate certificates (sub_ca.crt) in the certificate chain, along with the key files (sub_ca.key) if necessary. When the certificate chain is complete, which means the root certificate and all relevant subordinate certificates are uploaded, the user only needs to import the lowest level subordinate certificate in the browser.

    SELF SIGNED SERVER CERT

    Self-signed Server Certificate

    A standalone certificate used by the original issuer to verify if a site is legitimate.

  5. Enable the PKCS12 Format checkbox if it is a PKCS12 certificate.
  6. Click Choose File to upload a certificate file.

    Only “Base-64 encoded X.509 (.cer)” format certificates are supported.

  7. Click Choose file to upload a key file.
  8. Enter the password of the certificate.
  9. Click OK to return to the certificates list.
  10. (Optional) Select the row of the certificate type and click View to verify the certificate details.
To delete a certificate:
  1. Go to System > Certificates.
  2. Select the certificate you need to delete.
  3. Click Delete in the toolbar.
  4. Click OK in the confirmation dialog box to delete the selected certificate.
Note

The Isolator CA Certificate is built-in and cannot be deleted. It takes effect when no local certificate is available.

To assign a certificate to user’s profile:
  1. Go to Policies and Profile > Profile.
  2. Select Isolator profile and Edit.
  3. On the bottom of the page, next to Certificates, select the certificate that you just imported and click OK.
  4. Go to Policies and Profile > Default Policy, select the profile for Default Isolator Profile, and click OK.
Note

If a self-signed SSL certificate is a certificate chain that contains a root certificate and subordinate certificates, the root certificate and all subordinate certificates must be imported into the FortiIsolator and selected in the user’s profile.