Fortinet black logo

Administration Guide

SSL certificates

Copy Link
Copy Doc ID 825689eb-200d-11e9-b6f6-f8bc1258b856:299581
Download PDF

SSL certificates

The following components of FortiNAC are able to utilize SSL Certificates for encrypting communications:

  • Administrative User Interface: browser traffic between user managing FortiNAC through the UI and the FortiNAC Control Server.
  • Persistent Agent: traffic between Persistent Agent (PA) installed on a host and the FortiNAC Application Server. Functions that utilize this communication include, but are not limited to, registration/authentication and scanning.
  • Portal: browser traffic between host in isolation using the captive portal (Registration, Remediation, Authentication, Dead End) and the FortiNAC Application Server. This is also used for traffic between the Dissolvable Agent (DA), mobile agents, and the Application Server.

These components are secured independently of each other. However, the same SSL Certificate can be used if multiple components are to be secured.

The following sections describe how to obtain, upload, and renew SSL certificates.

Implementation considerations

If you are running a High Availability (HA) configuration using a shared IP address, the certificate information for the Portal target is replicated from the primary server to the secondary server. If you are running a HA configuration where primary and secondary servers are on separate subnets (L3 HA) contact Support for assistance.

You may act as your own Certificate Authority (CA) and use your own internal certificate, as long as all systems in your domain use the same certificate.

The Persistent and Dissolvable Agents cannot use the Self-Signed Certificate.

Wildcard certificates

Wildcard certificates may be imported to secure the Captive Portal. They can either be generated from a Certificate Signing Request (CSR) created via FortiNAC or a third party.

To generate a wildcard CSR using FortiNAC, see Obtaining an SSL certificate from a Certificate Authority (CA)

To use a wildcard certificate already generated, proceed to Upload a certificate received from the CA.

Ensure the following when importing a wildcard certificate:

  • The wildcard private key cannot be password protected.
  • The actual Fully-Qualified Host Name must be entered in the Fully-Qualified Host Name Field in the General tab under Go > Tasks > Portal Configuration. Entering the wildcard name in this field will cause the application of the certificate to fail.

Subject Alternative Name (SAN) certificates

A SAN certificate can be used to secure multiple host names and/or IP addresses. For example, in a Layer 2 HA environment the virtual, primary, and secondary appliance host names and their corresponding ip addresses can all be secured with one certificate.

To generate a SAN Certificate using FortiNAC, see Obtaining an SSL certificate from a Certificate Authority (CA).

Create a keystore for LDAP

If you choose to use SSL or TLS security protocols for communications with your LDAP directory, you must have a security certificate. You must obtain a valid certificate from a Certificate Authority. That certificate must be saved to a specific directory on your FortiNAC.

SSL or TLS protocols are selected on the Directory Configuration window when you set up the connection to your LDAP directory. See for information on configuring the connection to your LDAP directory. Follow the steps below to import your certificate.

Note

You should be logged in as root to follow this procedure.

  1. When you have received your certificate from the Certificate Authority, copy the file to the /bsc/campusMgr/ directory on your FortiNAC server.
  2. Use the keytool command to import the certificate into a keystore file.

    For example, if your certificate file is named MainCertificate.der, you would type the following:

    keytool -import -trustcacerts -alias <MyLDAP> -file MainCertificate.der -keystore .keystore

    Note

    Depending on the file extension of your certificate file, you may need to modify the command shown above. For additional information on using the keytool key and certificate management tool go to www.oracle.com.

  3. When the script responds with the Trust this certificate? prompt, type Yes and press Enter.
  4. At the prompt for the keystore password, type in the following password and press Enter: ^8Bradford%23
  5. To view the certificate, navigate to the /bsc/campusMgr/ directory and type the following: keytool -list -v -keystore .keystore
  6. Type the password used to import the certificate and press Enter.
Note

The keystore is cached on startup. Therefore, it is recommended that you restart FortiNAC after making any changes to the keystore.

Obtaining an SSL certificate from a Certificate Authority (CA)

If you do not have a certificate, you must obtain a certificate from a CA.

To obtain a valid third party SSL certificate from a CA, you must generate a CSR and send it to the CA.

To generate a CSR, and self-signed certificate:

  1. Select System > Settings.
  2. Expand the Security folder.
  3. Select Certificate Management from the tree.
  4. Click Generate CSR.

  1. Select the certificate target (the type of certificate you want to generate).

    • Select Admin UI to generate a CSR for the administrative user interface.
    • Select Persistent Agent to generate a CSR for the PA communications.
    • Select Portal to generate a CSR to secure the captive portal and DA communications.
    • Select RADIUS Server to generate a CSR for integrated FortiNAC RADIUS server set to use 802.1x and PEAP.
    Note

    The Private Key that corresponds with the CSR is stored on the appliance. Once the SSL Certificate is uploaded, to view the Private Key, click the Details button and select the Private Key tab.

  2. Enter the Common Name (Fully-Qualified Host Name). This is the Host Name to be secured by the certificate. If generating a wildcard CSR, enter the desired domain specifying the wildcard in the Common Name Field (Example: *.bradfordnetworks.com).
  3. Enter the Subject Alternative Names (leave blank if not requesting a SAN certificate). Click Add to enter each additional host name and/or ip address.
  4. Enter the remaining information for the certificate in the dialog box:

    • Organization: The name of the server's organization.
    • Organizational Unit: The name of the server's unit (department).
    • Locality (City): The city where the server is located.
    • State/Province: The state/province where the server is located.
    • 2 Letter Country Code: The country code where the server is located.
  5. Click OK to generate the CSR.

  6. Copy the section with the certificate request to include the following:

    -----BEGIN CERTIFICATE REQUEST-----

    ...Certificate Request Data...

    -----END CERTIFICATE REQUEST-----

  7. Paste it into a text file, and save the file with a .txt extension. Note the location of this file on your PC.

    Note

    Make sure there are no spaces, characters or carriage returns added to the Certificate Request.

  8. Send the Certificate Request file to the CA to request a Valid SSL Certificate.
Important Notes:
  • Do not click OK in the Generate CSR screen after saving the Certificate Request file and sending to the CA. Each time OK is clicked on the Generate CSR screen, a new CSR and private key are created, overwriting any previous private key. Consequently, if a Certificate Request file has been submitted to the CA, and the OK button has been clicked since the original Certificate Request was generated, the returned certificate will not match the current private key, and a new request will have to be issued and sent to the CA.
  • Not all Certificate Authorities ask for the same information when requesting a certificate. For example, some CA's ask for a server type (Apache, etc) while others do not. FortiNAC requires a non-encrypted certificate in one of the following formats:

    • PEM
    • DER
    • PKCS#7
    • P7B

    This will allow the certificate to be applied to any of the desired components.

    If the certificate is in PEM format, opening the certificate in a text editor should look something like the following format:

    -----BEGIN CERTIFICATE1-----

    fjkghwjernlsfuigylerkjlkfjnu23jnlkjbliu5ghl6kh4

    fjkjlkfjnu23jnlkjbliu5ghl6khkghwjernlsfuigyler4

    ghwjernlsfuigylerkjlkfjnu23jnlkjbliu5fjkghl6kh4

    -----END CERTIFICTATE1-----

    -----BEGIN CERTIFICATE2----

    fjkghwjernlsfuigylerkjlkfjnu23jnlkjbliu5ghl6kh4

    fjkjlkfjnu23jnlkjbliu5ghl6khkghwjernlsfuigyler4

    ghwjernlsfuigylerkjlkfjnu23jnlkjbliu5fjkghl6kh4

    -----END CERTIFCATE2-----

    Certificate requests generated on FortiNAC use the SHA1 RSA encryption signature. However, certificates with SHA2 encryption can be requested using this CSR.

  • Agent versions prior to 3.1.5 are not compatible with SHA2. Contact Support to verify appropriate SHA version based on current deployment.

    • Select Admin UI to generate a CSR for the administrative user interface.
    • Select Persistent Agent to generate a CSR for the PA communications.
    • Select Portal to generate a CSR to secure the captive portal and DA communications.
    Note

    The Private Key that corresponds with the CSR is stored on the appliance. Once the SSL Certificate is uploaded, to view the Private Key, click the Details button and select the Private Key tab.

Upload a certificate received from the CA

Upload the valid SSL certificate to the appliance when the certificate file is returned from the CA. Certificate files can be returned to you in one of several configurations. Depending upon the CA, one or multiple certificate files may be returned.

  1. Save the file(s) received from the CA to your PC.
  2. Select System > Settings.
  3. Expand the Security folder.
  4. Select Certificate Management from the tree.
  5. Click Upload Certificate.
  6. Select the target where the certificate will be uploaded:

    • Select Admin UI to install the certificate for the administrative user interface.
    • Select Persistent Agent to install certificate for the PA communications.
    • Select Portal to install the certificate to secure the captive portal.
  7. Select one of the following:

    • Use Private Key from Last Generated CSR to use the key from the most recent CSR for the selected target.
    • Reuse Private Key from Existing Certificate to use the private key for the certificate currently in use. This option is for renewing an existing installed certificate.
    • Upload Private Key to upload a key. Click Choose to find and upload the private key.
  8. Click the Choose File button to find and select the certificate to be uploaded. Users can also upload CA certificates and CA bundles.

    Note

    Upload any relevant intermediate certificate files needed for the creation of a completed certificate chain of authority. The Certificate Authority should be able to provide these files. Without a complete certificate chain of authority, the target functionality may produce error/warning messages.

  9. Click the Add Certificate button if multiple certificates were returned. Use this to enter each additional certificate file.
  10. Click OK.

Copying a certificate to another target

If the certificate is intended to be used for multiple targets, copy the certificate to the new target:

  1. Highlight the target with the desired certificate installed.
  2. Click Copy Certificate.
  3. Select the new target from the drop-down menu.
  4. Click OK.

Activating certificates

Certificates for the administrative user interface and Persistent Agent are activated automatically upon installation. No further action is required.

  1. Navigate to System > Settings.
  2. Expand the Security fold and then click Portal SSL.
  3. In the SSL Mode field, select Valid SSL Certificate.
  4. Click Save Settings (this may take several minutes).

Prevent the use of port 8080

Modify server.xml file

To ensure that users connect to the Admin UI using a secure port, you must modify the server.xml file.

  1. Log in as root.
  2. Navigate to the following directory: /bsc/services/tomcat-admin/conf
  3. Use vi or another editor to open the server.xml file.
  4. Locate the line shown below.

    <Connector port="8080" redirectPort="8443" address="nac" />

  5. Modify the line as follows to comment it out:

    <!-- <Connector port="8080" redirectPort="8443" addresss="nac" /> -->

  6. Save the changes to the server.xml file.
  7. Restart Tomcat.
  8. For your server to use the new certificates and acknowledge the changes made to server.xml, you must restart Tomcat. Type the following at the prompt:

    service tomcat-admin restart

Modify web.xml file

To ensure that users connect to the Admin UI using a secure port, you must modify the web.xml file.

Note

This change must be made after each upgrade because the web.xml is overwritten during the upgrade. A README should be put in place as a reminder to follow this procedure upon upgrade.

  1. Use vi or another editor to open the following file in a text editor:

    /bsc/campusMgr/ui/ROOT/WEB-INF/web.xml

  2. Locate the security-constraint for ALL.
  3. Change the transport-guarantee to CONFIDENTIAL. This value matches the API security-constraint.
  4. Save the changes to the file.

Create expiration warning alarms

Three events are enabled by default in FortiNAC:

  • Certificate Expiration Warning: Generated when a certificate is due to expire within 30 days.
  • Certificate Expiration Warning (CRITICAL): Generated when a certificate is due to expire within 7 days.
  • Certificate Expired: Generated when a certificate has expired.

You must create alarms to send emails when these events are generated.

  1. Navigate to Logs > Event to Alarm Mappings.
  2. Create one alarm for each event with the following settings:

    • Select the Notify Users setting.
    • Select the type of messaging (Email or SMS) and admin group desired to be notified.
    • Set the Trigger Rule to One Event to One Alarm.
  3. For detailed instructions on creating alarms, see Add or modify alarm mapping.

Renew a certificate

SSL certificates must be renewed periodically or they expire. However, the existing certificate must be used until the new one arrives. Some Certificate Authorities allow managing certificates such that it can be renewed without generating a new request file. In these cases, the private key will remain the same and the new certificate can be imported when it arrives.

  1. Save the file(s) received from the CA to your PC.
  2. Select the target where the certificate will be uploaded. See Step 6 under Upload a certificate received from the CA.
  3. Select Reuse Private Key from Existing Certificate to use the private key for the certificate currently in use. See Step 7 under Upload a certificate received from the CA.
  4. Follow Steps 8-10 under Upload a certificate received from the CA to complete the process.

Troubleshooting

If something is wrong with the uploaded certificate files, FortiNAC will display an error and will not apply the certificate.

Common causes for upload errors

  • The wildcard name (e.g., *.bradfordnetworks.com) was placed in the Fully-Qualified Host Name Field in the Portal SSL view under System > Settings > Security. To correct, change the entry to the true Fully-Qualified Host Name and click Save Settings.
  • There are extra spaces, characters, and/or carriage returns above, below, or within the text body of any of the files.
  • The certificate was not generated with the current key and there is mismatch.

    This can happen if the OK button in the Generate CSR screen had been clicked after saving the Certificate Request. Each time OK is clicked on the Generate CSR screen, a new CSR and private key are created, overwriting any previous private key.

    To confirm the certificate and key match, use the following tool:

    https://www.sslshopper.com/certificate-key-matcher.html

    If the key and certificate do not match, generate a new CSR and submit for a new certificate.

  • An error displays indicating the private key is invalid. This can occur if the Private Key is not a RSA Private Key. To confirm, (if the certificate is in PEM format), open the certificate in a text editor. If the content looks something like the following:

    ----BEGIN PRIVATE KEY----

    MIIEowIBAAKCAQEAtozSKRv4mpPVk0L4Xz2RzadYym5pRH+Cp1du4uJ2yGKepFmF

    HoB/yOuBt0PAJz9SAT+CkK7j5ocWbAlkjtZxdSs5T2aABWIWTmu0l5T8GYD6KQ9T

    ----END PRIVATE KEY----

    then the key will need to be converted to a RSA key.

  • The following error displays in UI: "Unable to update Apache configuration." This can occur if SSH communication is failing (as the appliance establishes a SSH session to restart apache service). If appliance is a pair, verify Control Server can SSH to Application Server. If appliance is a single device, verify appliance can SSH to itself (without being prompted to enter a password).
Note

For additional troubleshooting assistance, contact Fortinet Support.

SSL certificates

The following components of FortiNAC are able to utilize SSL Certificates for encrypting communications:

  • Administrative User Interface: browser traffic between user managing FortiNAC through the UI and the FortiNAC Control Server.
  • Persistent Agent: traffic between Persistent Agent (PA) installed on a host and the FortiNAC Application Server. Functions that utilize this communication include, but are not limited to, registration/authentication and scanning.
  • Portal: browser traffic between host in isolation using the captive portal (Registration, Remediation, Authentication, Dead End) and the FortiNAC Application Server. This is also used for traffic between the Dissolvable Agent (DA), mobile agents, and the Application Server.

These components are secured independently of each other. However, the same SSL Certificate can be used if multiple components are to be secured.

The following sections describe how to obtain, upload, and renew SSL certificates.

Implementation considerations

If you are running a High Availability (HA) configuration using a shared IP address, the certificate information for the Portal target is replicated from the primary server to the secondary server. If you are running a HA configuration where primary and secondary servers are on separate subnets (L3 HA) contact Support for assistance.

You may act as your own Certificate Authority (CA) and use your own internal certificate, as long as all systems in your domain use the same certificate.

The Persistent and Dissolvable Agents cannot use the Self-Signed Certificate.

Wildcard certificates

Wildcard certificates may be imported to secure the Captive Portal. They can either be generated from a Certificate Signing Request (CSR) created via FortiNAC or a third party.

To generate a wildcard CSR using FortiNAC, see Obtaining an SSL certificate from a Certificate Authority (CA)

To use a wildcard certificate already generated, proceed to Upload a certificate received from the CA.

Ensure the following when importing a wildcard certificate:

  • The wildcard private key cannot be password protected.
  • The actual Fully-Qualified Host Name must be entered in the Fully-Qualified Host Name Field in the General tab under Go > Tasks > Portal Configuration. Entering the wildcard name in this field will cause the application of the certificate to fail.

Subject Alternative Name (SAN) certificates

A SAN certificate can be used to secure multiple host names and/or IP addresses. For example, in a Layer 2 HA environment the virtual, primary, and secondary appliance host names and their corresponding ip addresses can all be secured with one certificate.

To generate a SAN Certificate using FortiNAC, see Obtaining an SSL certificate from a Certificate Authority (CA).

Create a keystore for LDAP

If you choose to use SSL or TLS security protocols for communications with your LDAP directory, you must have a security certificate. You must obtain a valid certificate from a Certificate Authority. That certificate must be saved to a specific directory on your FortiNAC.

SSL or TLS protocols are selected on the Directory Configuration window when you set up the connection to your LDAP directory. See for information on configuring the connection to your LDAP directory. Follow the steps below to import your certificate.

Note

You should be logged in as root to follow this procedure.

  1. When you have received your certificate from the Certificate Authority, copy the file to the /bsc/campusMgr/ directory on your FortiNAC server.
  2. Use the keytool command to import the certificate into a keystore file.

    For example, if your certificate file is named MainCertificate.der, you would type the following:

    keytool -import -trustcacerts -alias <MyLDAP> -file MainCertificate.der -keystore .keystore

    Note

    Depending on the file extension of your certificate file, you may need to modify the command shown above. For additional information on using the keytool key and certificate management tool go to www.oracle.com.

  3. When the script responds with the Trust this certificate? prompt, type Yes and press Enter.
  4. At the prompt for the keystore password, type in the following password and press Enter: ^8Bradford%23
  5. To view the certificate, navigate to the /bsc/campusMgr/ directory and type the following: keytool -list -v -keystore .keystore
  6. Type the password used to import the certificate and press Enter.
Note

The keystore is cached on startup. Therefore, it is recommended that you restart FortiNAC after making any changes to the keystore.

Obtaining an SSL certificate from a Certificate Authority (CA)

If you do not have a certificate, you must obtain a certificate from a CA.

To obtain a valid third party SSL certificate from a CA, you must generate a CSR and send it to the CA.

To generate a CSR, and self-signed certificate:

  1. Select System > Settings.
  2. Expand the Security folder.
  3. Select Certificate Management from the tree.
  4. Click Generate CSR.

  1. Select the certificate target (the type of certificate you want to generate).

    • Select Admin UI to generate a CSR for the administrative user interface.
    • Select Persistent Agent to generate a CSR for the PA communications.
    • Select Portal to generate a CSR to secure the captive portal and DA communications.
    • Select RADIUS Server to generate a CSR for integrated FortiNAC RADIUS server set to use 802.1x and PEAP.
    Note

    The Private Key that corresponds with the CSR is stored on the appliance. Once the SSL Certificate is uploaded, to view the Private Key, click the Details button and select the Private Key tab.

  2. Enter the Common Name (Fully-Qualified Host Name). This is the Host Name to be secured by the certificate. If generating a wildcard CSR, enter the desired domain specifying the wildcard in the Common Name Field (Example: *.bradfordnetworks.com).
  3. Enter the Subject Alternative Names (leave blank if not requesting a SAN certificate). Click Add to enter each additional host name and/or ip address.
  4. Enter the remaining information for the certificate in the dialog box:

    • Organization: The name of the server's organization.
    • Organizational Unit: The name of the server's unit (department).
    • Locality (City): The city where the server is located.
    • State/Province: The state/province where the server is located.
    • 2 Letter Country Code: The country code where the server is located.
  5. Click OK to generate the CSR.

  6. Copy the section with the certificate request to include the following:

    -----BEGIN CERTIFICATE REQUEST-----

    ...Certificate Request Data...

    -----END CERTIFICATE REQUEST-----

  7. Paste it into a text file, and save the file with a .txt extension. Note the location of this file on your PC.

    Note

    Make sure there are no spaces, characters or carriage returns added to the Certificate Request.

  8. Send the Certificate Request file to the CA to request a Valid SSL Certificate.
Important Notes:
  • Do not click OK in the Generate CSR screen after saving the Certificate Request file and sending to the CA. Each time OK is clicked on the Generate CSR screen, a new CSR and private key are created, overwriting any previous private key. Consequently, if a Certificate Request file has been submitted to the CA, and the OK button has been clicked since the original Certificate Request was generated, the returned certificate will not match the current private key, and a new request will have to be issued and sent to the CA.
  • Not all Certificate Authorities ask for the same information when requesting a certificate. For example, some CA's ask for a server type (Apache, etc) while others do not. FortiNAC requires a non-encrypted certificate in one of the following formats:

    • PEM
    • DER
    • PKCS#7
    • P7B

    This will allow the certificate to be applied to any of the desired components.

    If the certificate is in PEM format, opening the certificate in a text editor should look something like the following format:

    -----BEGIN CERTIFICATE1-----

    fjkghwjernlsfuigylerkjlkfjnu23jnlkjbliu5ghl6kh4

    fjkjlkfjnu23jnlkjbliu5ghl6khkghwjernlsfuigyler4

    ghwjernlsfuigylerkjlkfjnu23jnlkjbliu5fjkghl6kh4

    -----END CERTIFICTATE1-----

    -----BEGIN CERTIFICATE2----

    fjkghwjernlsfuigylerkjlkfjnu23jnlkjbliu5ghl6kh4

    fjkjlkfjnu23jnlkjbliu5ghl6khkghwjernlsfuigyler4

    ghwjernlsfuigylerkjlkfjnu23jnlkjbliu5fjkghl6kh4

    -----END CERTIFCATE2-----

    Certificate requests generated on FortiNAC use the SHA1 RSA encryption signature. However, certificates with SHA2 encryption can be requested using this CSR.

  • Agent versions prior to 3.1.5 are not compatible with SHA2. Contact Support to verify appropriate SHA version based on current deployment.

    • Select Admin UI to generate a CSR for the administrative user interface.
    • Select Persistent Agent to generate a CSR for the PA communications.
    • Select Portal to generate a CSR to secure the captive portal and DA communications.
    Note

    The Private Key that corresponds with the CSR is stored on the appliance. Once the SSL Certificate is uploaded, to view the Private Key, click the Details button and select the Private Key tab.

Upload a certificate received from the CA

Upload the valid SSL certificate to the appliance when the certificate file is returned from the CA. Certificate files can be returned to you in one of several configurations. Depending upon the CA, one or multiple certificate files may be returned.

  1. Save the file(s) received from the CA to your PC.
  2. Select System > Settings.
  3. Expand the Security folder.
  4. Select Certificate Management from the tree.
  5. Click Upload Certificate.
  6. Select the target where the certificate will be uploaded:

    • Select Admin UI to install the certificate for the administrative user interface.
    • Select Persistent Agent to install certificate for the PA communications.
    • Select Portal to install the certificate to secure the captive portal.
  7. Select one of the following:

    • Use Private Key from Last Generated CSR to use the key from the most recent CSR for the selected target.
    • Reuse Private Key from Existing Certificate to use the private key for the certificate currently in use. This option is for renewing an existing installed certificate.
    • Upload Private Key to upload a key. Click Choose to find and upload the private key.
  8. Click the Choose File button to find and select the certificate to be uploaded. Users can also upload CA certificates and CA bundles.

    Note

    Upload any relevant intermediate certificate files needed for the creation of a completed certificate chain of authority. The Certificate Authority should be able to provide these files. Without a complete certificate chain of authority, the target functionality may produce error/warning messages.

  9. Click the Add Certificate button if multiple certificates were returned. Use this to enter each additional certificate file.
  10. Click OK.

Copying a certificate to another target

If the certificate is intended to be used for multiple targets, copy the certificate to the new target:

  1. Highlight the target with the desired certificate installed.
  2. Click Copy Certificate.
  3. Select the new target from the drop-down menu.
  4. Click OK.

Activating certificates

Certificates for the administrative user interface and Persistent Agent are activated automatically upon installation. No further action is required.

  1. Navigate to System > Settings.
  2. Expand the Security fold and then click Portal SSL.
  3. In the SSL Mode field, select Valid SSL Certificate.
  4. Click Save Settings (this may take several minutes).

Prevent the use of port 8080

Modify server.xml file

To ensure that users connect to the Admin UI using a secure port, you must modify the server.xml file.

  1. Log in as root.
  2. Navigate to the following directory: /bsc/services/tomcat-admin/conf
  3. Use vi or another editor to open the server.xml file.
  4. Locate the line shown below.

    <Connector port="8080" redirectPort="8443" address="nac" />

  5. Modify the line as follows to comment it out:

    <!-- <Connector port="8080" redirectPort="8443" addresss="nac" /> -->

  6. Save the changes to the server.xml file.
  7. Restart Tomcat.
  8. For your server to use the new certificates and acknowledge the changes made to server.xml, you must restart Tomcat. Type the following at the prompt:

    service tomcat-admin restart

Modify web.xml file

To ensure that users connect to the Admin UI using a secure port, you must modify the web.xml file.

Note

This change must be made after each upgrade because the web.xml is overwritten during the upgrade. A README should be put in place as a reminder to follow this procedure upon upgrade.

  1. Use vi or another editor to open the following file in a text editor:

    /bsc/campusMgr/ui/ROOT/WEB-INF/web.xml

  2. Locate the security-constraint for ALL.
  3. Change the transport-guarantee to CONFIDENTIAL. This value matches the API security-constraint.
  4. Save the changes to the file.

Create expiration warning alarms

Three events are enabled by default in FortiNAC:

  • Certificate Expiration Warning: Generated when a certificate is due to expire within 30 days.
  • Certificate Expiration Warning (CRITICAL): Generated when a certificate is due to expire within 7 days.
  • Certificate Expired: Generated when a certificate has expired.

You must create alarms to send emails when these events are generated.

  1. Navigate to Logs > Event to Alarm Mappings.
  2. Create one alarm for each event with the following settings:

    • Select the Notify Users setting.
    • Select the type of messaging (Email or SMS) and admin group desired to be notified.
    • Set the Trigger Rule to One Event to One Alarm.
  3. For detailed instructions on creating alarms, see Add or modify alarm mapping.

Renew a certificate

SSL certificates must be renewed periodically or they expire. However, the existing certificate must be used until the new one arrives. Some Certificate Authorities allow managing certificates such that it can be renewed without generating a new request file. In these cases, the private key will remain the same and the new certificate can be imported when it arrives.

  1. Save the file(s) received from the CA to your PC.
  2. Select the target where the certificate will be uploaded. See Step 6 under Upload a certificate received from the CA.
  3. Select Reuse Private Key from Existing Certificate to use the private key for the certificate currently in use. See Step 7 under Upload a certificate received from the CA.
  4. Follow Steps 8-10 under Upload a certificate received from the CA to complete the process.

Troubleshooting

If something is wrong with the uploaded certificate files, FortiNAC will display an error and will not apply the certificate.

Common causes for upload errors

  • The wildcard name (e.g., *.bradfordnetworks.com) was placed in the Fully-Qualified Host Name Field in the Portal SSL view under System > Settings > Security. To correct, change the entry to the true Fully-Qualified Host Name and click Save Settings.
  • There are extra spaces, characters, and/or carriage returns above, below, or within the text body of any of the files.
  • The certificate was not generated with the current key and there is mismatch.

    This can happen if the OK button in the Generate CSR screen had been clicked after saving the Certificate Request. Each time OK is clicked on the Generate CSR screen, a new CSR and private key are created, overwriting any previous private key.

    To confirm the certificate and key match, use the following tool:

    https://www.sslshopper.com/certificate-key-matcher.html

    If the key and certificate do not match, generate a new CSR and submit for a new certificate.

  • An error displays indicating the private key is invalid. This can occur if the Private Key is not a RSA Private Key. To confirm, (if the certificate is in PEM format), open the certificate in a text editor. If the content looks something like the following:

    ----BEGIN PRIVATE KEY----

    MIIEowIBAAKCAQEAtozSKRv4mpPVk0L4Xz2RzadYym5pRH+Cp1du4uJ2yGKepFmF

    HoB/yOuBt0PAJz9SAT+CkK7j5ocWbAlkjtZxdSs5T2aABWIWTmu0l5T8GYD6KQ9T

    ----END PRIVATE KEY----

    then the key will need to be converted to a RSA key.

  • The following error displays in UI: "Unable to update Apache configuration." This can occur if SSH communication is failing (as the appliance establishes a SSH session to restart apache service). If appliance is a pair, verify Control Server can SSH to Application Server. If appliance is a single device, verify appliance can SSH to itself (without being prompted to enter a password).
Note

For additional troubleshooting assistance, contact Fortinet Support.