Trusted certificates
Use this view to upload certificate authority (CA) certificates in order to establish trust for SSL connections.
-
Navigate to System > Certificate Management.
-
Select Trusted certificates.
-
Select the appropriate target from the drop down menu using the table below.
Target
Description
General Trusted CA
Used by FortiNAC to validate SSL connections with devices modeled in Inventory. Used when SSL Settings in the Credentials tab is configured. See Credentials.
Well-known trusted CA certificates can be imported to this view automatically. For details, see Certificate Management.
RADIUS Endpoint Trust [RadSec]
Trusted Endpoint Certificate used by FortiNAC to validate the client-side certificate when RadSec clients send authentication requests.
RADIUS Endpoint Trust [radius]
Trusted Endpoint Certificate used by FortiNAC to validate the client-side certificate when Local RADIUS Server is configured and EAP-TLS is used for authentication. See below for additional details.
WinRM Trusted CA Chain
Trusted endpoint certificate used by FortiNAC to validate the client-side certificate for WinRM sessions. Applies to Device Profiling Rules using WinRM or WMI Profile methods. See Adding a rule.
Persistent Agent Cert Check
Trusted CA certificate used by FortiNAC to validate certificates on Windows hosts. See Certificate validation.
- Click + then browse to add the certificate file for the selected target. Click + for each additional certificate required.
- Click OK.
RADIUS Endpoint Trust [radius]
EAP-TLS is a certificate-based mutual authentication method. When using EAP with TLS certificates, both the client and the server use certificates to verify identities to each other. Once these certificates are identified, the EAP-TLS will create session-based keys that each party can use to complete the login.
Endpoint Trust Certificate used by FortiNAC to validate the client-side certificate when local RADIUS server is configured, and EAP-TLS is used for authentication.
The SSL certificates requirements for Endpoint Trust:
-
The incoming certificate must be issued by Root CA.
-
3rd party public or corporate owned internal Certificate Authority issued certificates.
-
Wildcard certificates are not recommended.
-
Either user or computer certificates.
-
Supported using EAP-TLS, PEAPv0-EAP-TLS, EAP-TTLS/EAP-TLS
-
Multiple certificates can be uploaded to FortiNAC for this use.
Client will be unable to authenticate unless the RADIUS Endpoint Trust Certificate Target has the matching root certificate installed. All the root certificates used by end stations should be uploaded to FortiNAC.
-
Acquire the root certificate(s) used by the endstations.
-
If multiple root certificates have been distributed, ensure each one has been collected.
The root certificate of user certificate for RADIUS endpoint should be uploaded to Trusted Certificate of FortiNAC. FortiNAC will verify the client certificate based on the root certificate stored on FortiNAC.
On the RADIUS 802.1x Endpoint, user needs to apply the user certificate and private key to let the FortiNAC verify the user. The private key must have password protected.
And the user also needs to apply the root certificate of RADIUS Server certificate to let the end point verify the certificate of FortiNAC.
The self-signed certificate whose common name is same as issuer cannot be used in here. Otherwise, there is a error message: “ERROR: SSL says error 18 : self signed certificate” on RADIUS server log.” |
The self-signed certificate cannot be used for RADIUS Endpoint. The RADIUS Server will verify the common name of the root certificate and user certificate. If the two common names are same, there is an error “ERROR” SSL says error 18: Self signed certificate” on RADIUS Server.
If the user certificate is not issued by root CA or the root Certificate is not uploaded to FortiNAC, there is an error “ERROR: TLS Alert read: fatal: unknown CA” on RADIUS Server.