The following components of FortiNAC are able to utilize SSL certificates for encrypting communications:
- Administrator interface: browser traffic between user managing FortiNAC through the UI and the FortiNAC Control Server.
- Persistent Agent: traffic between Persistent Agent (PA) installed on a host and the FortiNAC Application Server. Functions that utilize this communication include, but are not limited to, registration/authentication and scanning.
- Portal: browser traffic between host in isolation using the captive portal (Registration, Remediation, authentication, Dead End) and the FortiNAC Application Server. This is also used for traffic between the Dissolvable Agent, Mobile Agent, and the FortiNAC Application Server.
These components are secured independently of each other. However, the same SSL certificate can be used if multiple components are to be secured.
The following sections describe how to obtain, upload, and renew SSL certificates.
If you are running a high availability (HA) configuration using a shared IP address, the certificate information for the Portal target is replicated from the primary server to the secondary server. If you are running a HA configuration where primary and secondary servers are on separate subnets (L3 HA) contact Support for assistance.
You may act as your own CA and use your own internal certificate, as long as all systems in your domain use the same certificate.
The Persistent Agent and Dissolvable Agent cannot use the self-signed certificate.
Wildcard certificates may be imported to secure the Captive Portal. They can either be generated from a certificate signing (CSR) created via FortiNAC or a third party.
To generate a wildcard CSR using FortiNAC, see Obtaining an SSL certificate from a CA.
To use a wildcard certificate already generated, proceed to Upload a certificate received from the CA.
Ensure the following when importing a wildcard certificate:
- The wildcard private key cannot be password protected.
- The actual fully qualified hostname must be entered in the fully qualified hostname Field in the General tab under Go > Tasks > Portal Configuration. Entering the wildcard name in this field will cause the application of the certificate to fail.
Subject Alternative Name (SAN) certificates
A SAN certificate can be used to secure multiple hostnames and/or IP addresses. For example, in a Layer 2 HA environment the virtual, primary, and secondary appliance hostnames and their corresponding IP addresses can all be secured with one certificate.
To generate a SAN certificate using FortiNAC, see Obtaining an SSL certificate from a CA.
Create a keystore for LDAP
If you choose to use SSL or TLS security protocols for communications with your LDAP directory, you must have a security certificate. You must obtain a valid certificate from a certificate Authority. That certificate must be saved to a specific directory on your FortiNAC.
SSL or TLS protocols are selected on the Directory Configuration window when you set up the connection to your LDAP directory. Follow the steps below to import your certificate. You should be logged in as root to follow this procedure.
- When you have received your certificate from the certificate Authority, copy the file to the
/bsc/campusMgr/directory on your FortiNAC server.
Use the keytool command to import the certificate into a keystore file.
For example, if your certificate file is named MainCertificate.der, you would type the following:
keytool -import -trustcacerts -alias <MyLDAP> -file MainCertificate.der -keystore .keystore
Depending on the file extension of your certificate file, you may need to modify the command shown above. For additional information on using the keytool key and certificate management tool go to www.oracle.com.
- When the script responds with the Trust this certificate? prompt, type Yes and press Enter.
- At the prompt for the keystore password, type in the following password and press Enter:
- To view the certificate, navigate to the
/bsc/campusMgr/directory and type the following:
keytool -list -v -keystore .keystore
- Type the password used to import the certificate and press Enter.
The keystore is cached on startup. Therefore, it is recommended that you restart FortiNAC after making any changes to the keystore.
If you do not have a certificate, you must obtain a certificate from a CA.
To obtain a valid third party SSL certificate from a CA, you must generate a CSR and send it to the CA.
- Go to System > Settings.
- Expand the Security folder.
- Select Certificate Management from the tree.
- Click Generate CSR.
Select the certificate target (the type of certificate you want to generate).
- Select Admin UI to generate a CSR for the admin UI.
- Select Persistent Agent to generate a CSR for the PA communications.
- Select Portal to generate a CSR to secure the captive portal and DA communications.
- Select RADIUS Server to generate a CSR for integrated FortiNAC RADIUS server set to use 802.1x and PEAP.
- Enter the Common Name. This is the hostname to be secured by the certificate. If generating a wildcard CSR, enter the desired domain specifying the wildcard in the Common Name field (Example: *.example.com).
- Enter the Subject Alternative Names (leave blank if not requesting a SAN certificate). Click Add to enter each additional hostname and/or IP address.
Enter the remaining information for the certificate in the dialog box:
- Organization: The name of the server's organization.
- Organizational Unit: The name of the server's unit (department).
- Locality (City): The city where the server is located.
- State/Province: The state/province where the server is located.
- 2 Letter Country Code: The country code where the server is located.
Click OK to generate the CSR.
Copy the section with the certificate request to include the following:
-----BEGIN CERTIFICATE REQUEST-----
...Certificate Request Data...
-----END CERTIFICATE REQUEST-----
Paste it into a text file, and save the file with a .txt extension. Note the location of this file on your PC.
Make sure there are no spaces, characters, or carriage returns added to the certificate.
- Send the certificate file to the CA to request a valid SSL certificate.
- Do not click OK in the Generate CSR screen after saving the certificate file and sending to the CA. Each time OK is clicked on the Generate CSR screen, a new CSR and private key are created, overwriting any previous private key. Consequently, if a certificate file has been submitted to the CA, and OK has been clicked since the original certificate was generated, the returned certificate will not match the current private key, and a new request will have to be issued and sent to the CA.
Not all certificate Authorities ask for the same information when requesting a certificate. For example, some CA's ask for a server type (Apache, etc) while others do not. FortiNAC requires a non-encrypted certificate in one of the following formats:
This will allow the certificate to be applied to any of the desired components.
If the certificate is in PEM format, opening the certificate in a text editor should look something like the following format:
Certificate requests generated on FortiNAC use the SHA1 RSA encryption signature. However, certificates with SHA2 encryption can be requested using this CSR.
Upload the valid SSL certificate to the appliance when the certificate file is returned from the CA. Certificate files can be returned to you in one of several configurations. Depending upon the CA, one or multiple certificate files may be returned.
- Save the file(s) received from the CA to your PC.
- Select System > Settings.
- Expand the Security folder.
- Select Certificate Management from the tree.
- Click Upload Certificate.
Select the target where the certificate will be uploaded:
- Select Admin UI to install the certificate for the admin UI.
- Select Persistent Agent to install certificate for the PA communications.
- Select Portal to install the certificate to secure the captive portal.
Select one of the following:
- Use Private Key from Last Generated CSR to use the key from the most recent CSR for the selected target.
- Reuse Private Key from Existing Certificate to use the private key for the certificate currently in use. This option is for renewing an existing installed certificate.
- Upload Private Key to upload a key. Click Choose to find and upload the private key.
Click Choose File to find and select the certificate to be uploaded. Users can also upload CA certificates and CA bundles.
Upload any relevant intermediate certificate files needed for the creation of a completed certificate chain of authority. The certificate Authority should be able to provide these files. Without a complete certificate chain of authority, the target functionality may produce error/warning messages.
- Click Add Certificate if multiple certificates were returned. Use this to enter each additional certificate file.
- Click OK.
Copying a certificate to another target
If the certificate is intended to be used for multiple targets, copy the certificate to the new target:
- Highlight the target with the desired certificate installed.
- Click Copy Certificate.
- Select the new target from the drop-down menu.
- Click OK.
Certificates for the admin UI and Persistent Agent are activated automatically upon installation. No further action is required.
- Navigate to System > Settings.
- Expand the Security fold and then click Portal SSL.
- In the SSL Mode field, select Valid SSL Certificate.
- Click Save Settings (this may take several minutes).
Prevent the use of port 8080
Modify server.xml file
To ensure that users connect to the admin UI using a secure port, you must modify the server.xml file.
- Log in as
- Navigate to the following directory:
- Use vi or another editor to open the server.xml file.
Locate the line shown below.
<Connector port="8080" redirectPort="8443" address="nac" />
Modify the line as follows to comment it out:
<!-- <Connector port="8080" redirectPort="8443" addresss="nac" /> -->
- Save the changes to the server.xml file.
- Restart Tomcat.
For your server to use the new certificates and acknowledge the changes made to server.xml, you must restart Tomcat. Type the following at the prompt:
service tomcat-admin restart
Modify web.xml file
To ensure that users connect to the admin UI using a secure port, you must modify the web.xml file.
This change must be made after each upgrade because the web.xml is overwritten during the upgrade. A README should be put in place as a reminder to follow this procedure upon upgrade.
Use vi or another editor to open the following file in a text editor:
- Locate the security-constraint for ALL.
- Change the transport-guarantee to CONFIDENTIAL. This value matches the API security-constraint.
- Save the changes to the file.
Create expiration warning alarms
Three events are enabled by default in FortiNAC:
- Certificate Expiration Warning: Generated when a certificate is due to expire within 30 days.
- Certificate Expiration Warning (CRITICAL): Generated when a certificate is due to expire within 7 days.
- Certificate Expired: Generated when a certificate has expired.
You must create alarms to send emails when these events are generated.
- Navigate to Logs > Event to Alarm Mappings.
Create one alarm for each event with the following settings:
- Select the Notify Users setting.
- Select the type of messaging (Email or SMS) and admin group desired to be notified.
- Set the Trigger Rule to One Event to One Alarm.
- For detailed instructions on creating alarms, see Add or modify alarm mapping.
Renew a certificate
SSL certificates must be renewed periodically or they expire. However, the existing certificate must be used until the new one arrives. Some certificate Authorities allow managing certificates such that it can be renewed without generating a new request file. In these cases, the private key will remain the same and the new certificate can be imported when it arrives.
- Save the file(s) received from the CA to your PC.
- Select the target where the certificate will be uploaded. See Step 6 under Upload a certificate received from the CA.
- Select Reuse Private Key from Existing Certificate to use the private key for the certificate currently in use. See Step 7 under Upload a certificate received from the CA.
- Follow Steps 8-10 under Upload a certificate received from the CA to complete the process.
If something is wrong with the uploaded certificate files, FortiNAC will display an error and will not apply the certificate.
Common causes for upload errors
- The wildcard name (e.g., *.example.com) was placed in the Fully Qualified Host Name field in the Portal SSL view under System > Settings > Security. To correct, change the entry to the true fully qualified hostname and click Save Settings.
- There are extra spaces, characters, and/or carriage returns above, below, or within the text body of any of the files.
The certificate was not generated with the current key and there is mismatch.
This can happen if OK in the Generate CSR screen had been clicked after saving the certificate request. Each time OK is clicked on the Generate CSR screen, a new CSR and private key are created, overwriting any previous private key.
To confirm the certificate and key match, use the following tool:
If the key and certificate do not match, generate a new CSR and submit for a new certificate.
An error displays indicating the private key is invalid. This can occur if the private key is not a RSA private key. To confirm, (if the certificate is in PEM format), open the certificate in a text editor. If the content looks something like the following:
----BEGIN PRIVATE KEY----
----END PRIVATE KEY----
then the key will need to be converted to a RSA key.
- The following error displays in UI: "Unable to update Apache configuration." This can occur if SSH communication is failing (as the appliance establishes a SSH session to restart apache service). If appliance is a pair, verify Control Server can SSH to Application Server. If appliance is a single device, verify appliance can SSH to itself (without being prompted to enter a password).
For additional troubleshooting assistance, contact Fortinet Support.