Fortinet black logo

Administration Guide

Create a keystore for SSL or TLS

Copy Link
Copy Doc ID 1ce38eeb-8119-11eb-9995-00505692583a:695800
Download PDF

Create a keystore for SSL or TLS

When using SSL or TLS security protocols for communications between FortiNAC and some servers (such as LDAP directory, Fortinet EMS and Nozomi servers) a security certificate may be required. The need for the certificate is dependent upon the configuration of the directory. In most cases, FortiNAC automatically imports the certificate it needs. However, if this is not the case, use the following steps to import the certificate.

Certificate Import Instructions:

  1. Once the certificate from the CA has been received, login to the FortiNAC server CLI as root.
  2. Copy the file to the /bsc/campusMgr/ directory.
  3. Use the keytool command to import the certificate into a keystore file.
    keytool -import -trustcacerts -alias ldap_client -file <certificate file> -keystore .keystore
    Example using certificate file named MainCertificate.der:
    keytool -import -trustcacerts -alias ldap_client -file MainCertificate.der -keystore .keystore
    For additional information on using the keytool key and certificate management tool go to the Sun web site java.sun.com.
  4. When the script responds with the Trust this certificate? prompt, type Yes and press Enter.
  5. At the prompt for the keystore password, type in the following password and press Enter ^8Bradford%23
  6. To view the certificate, navigate to the /bsc/campusMgr/ directory and type the following:
    keytool -list -v -keystore .keystore
  7. Type the password used to import the certificate and press Enter.
  8. Verify connection to the directory. In the Administration UI, navigate to System > Settings > Authentication > LDAP.
  9. Double click the directory model and click the Validate Credentials button.

If unable to connect, restart the FortiNAC control process to clear any cached information:

  1. In the FortiNAC CLI, type:

    shutdownCampusMgr

  2. Wait 30 seconds
  3. Type:

    startupCampusMgr

Create a keystore for SSL or TLS

When using SSL or TLS security protocols for communications between FortiNAC and some servers (such as LDAP directory, Fortinet EMS and Nozomi servers) a security certificate may be required. The need for the certificate is dependent upon the configuration of the directory. In most cases, FortiNAC automatically imports the certificate it needs. However, if this is not the case, use the following steps to import the certificate.

Certificate Import Instructions:

  1. Once the certificate from the CA has been received, login to the FortiNAC server CLI as root.
  2. Copy the file to the /bsc/campusMgr/ directory.
  3. Use the keytool command to import the certificate into a keystore file.
    keytool -import -trustcacerts -alias ldap_client -file <certificate file> -keystore .keystore
    Example using certificate file named MainCertificate.der:
    keytool -import -trustcacerts -alias ldap_client -file MainCertificate.der -keystore .keystore
    For additional information on using the keytool key and certificate management tool go to the Sun web site java.sun.com.
  4. When the script responds with the Trust this certificate? prompt, type Yes and press Enter.
  5. At the prompt for the keystore password, type in the following password and press Enter ^8Bradford%23
  6. To view the certificate, navigate to the /bsc/campusMgr/ directory and type the following:
    keytool -list -v -keystore .keystore
  7. Type the password used to import the certificate and press Enter.
  8. Verify connection to the directory. In the Administration UI, navigate to System > Settings > Authentication > LDAP.
  9. Double click the directory model and click the Validate Credentials button.

If unable to connect, restart the FortiNAC control process to clear any cached information:

  1. In the FortiNAC CLI, type:

    shutdownCampusMgr

  2. Wait 30 seconds
  3. Type:

    startupCampusMgr