Importing License Key Certificates
FortiNAC versions 7.2.2, 9.4.3, 9.2.8, 9.1.10 and greater contain security enhancements for communication between
-
FortiNAC Manager and managed servers
-
Primary and secondary servers in High Availability
Due to this change, all FortiNAC servers must have certificates to communicate with other Servers.
License keys with certificates were introduced on January 1st 2020. It is possible for older appliances to be running on a license key generated prior to 2020 and not include certificates.FortiNAC ControlApplication (FNC-CA-VM) Virtual Servers
1. Download a newFortiNAC Application VM Server License key from the Customer Portal. Customers with a FortiCare account and appliance support coverage can download a new key containing certificates from the Customer Support Portal at http://support.fortinet.com.
Important: Ensure the correct UUID and eth0 MAC address of the appliance is reflected in the product record. For details on how to obtain this information and download the new keys, see the Update Keys Due to UUID/MAC Change section in the License Upgrade Guide.
2. Proceed with configuring the allowed serial numbers list via the CLI for each appliance.
All Other Servers (FNC-C, FNC-A, FNC-CA Hardware)
The following instructions apply to older appliances that do not have the option of downloading keys containing certificates from the Customer Portal:
-
Separate Control (FNC-C) and Application (FNC-A) Servers – VM or hardware
-
FortiNAC-CA hardware appliances
For these appliances, self-signed certificates must be exchanged between managed appliance and the FortiNAC Manager.
Reviewing the Keystore
Use the following command to list the alias names for the certificates installed in an appliance’s keystore:
keytool -list -v -keystore /bsc/campusMgr/.keystore -storepass ^8Bradford%23 | grep -i "server_pub"
Alias name format: <IP ADDRESS>_server_pub
Where "<IP_ADDRESS>" is the IP address of the system the certificate came from.
Example:
> keytool -list -v -keystore /bsc/campusMgr/.keystore -storepass ^8Bradford%23 | grep -i "server_pub"
Alias name: 10.12.240.102_server_pub
The Manager’s keystore must contain certificates for each managed appliance. Each managed appliance must have certificates for the Manager(s).
General Instructions:
-
Export the self-signed certificate from FortiNAC Manager and import to each managed appliance (FNC-CA or FNC-C).
-
If Manager is configured as a High Availability pair, export the secondary Manager's self-signed certificate and import to each managed appliance (FNC-CA or FNC-C).
-
Export the self-signed certificate from each managed appliance (FNC-CA or FNC-C) and import to Manager. If Manager is configured for High Availability, import to both primary and secondary.
-
One certificates have been exchanged, communication between FortiNAC Manager and managed servers can be established.
Export instructions:
-
Login as
root
to the appliance CLI. -
To export the certificate, type:
keytool -keystore /bsc/campusMgr/.keystore -storepass ^8Bradford%23 -exportcert -alias server | openssl x509 -inform der
Example output:
-----BEGIN CERTIFICATE-----MIIDiTCCAnGgAwIBAgIEYhlLrDANBgkqhkiG9w0BAQsFADB1MQswCQYDVQQGEwJVxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxiuROrRdsUvDJz6KxwdBu+mR8l62ng6O714rFoqvdBr8M7eC+u/O3ykQsJTbOH1LFBJg1SPndkVGgyy
-----END CERTIFICATE-----
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /bsc/campusMgr/.keystore -destkeystore /bsc/campusMgr/.keystore -deststoretype pkcs12".
-
Copy the certificate to buffer.
-----BEGIN CERTIFICATE-----
MIIDiTCCAnGgAwIBAgIEYhlLrDANBgkqhkiG9w0BAQsFADB1MQswCQYDVQQGEwJV
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxiuROrRdsUvDJz6Kxwd
Bu+mR8l62ng6O714rFoqvdBr8M7eC+u/O3ykQsJTbOH1LFBJg1SPndkVGgyy
-----END CERTIFICATE-----
Import Instructions:
-
Login to CLI as
root
. -
To import the certificate, type the following command and hit enter:
keytool -trustcacerts -keystore /bsc/campusMgr/.keystore -storepass ^8Bradford%23 -importcert -alias <IP_ADDRESS>_server_pub
Where "<IP_ADDRESS>" is the IP address of the system the certificate came from.
Example:
keytool -trustcacerts -keystore /bsc/campusMgr/.keystore -storepass ^8Bradford%23 -importcert –alias 10.1.1.1_server_pub
-
Paste the certificate and hit enter.
-
When prompted to trust the certificate type: “
yes
” and hit enter.The command prompt will be returned.
-
Validate the certificate was imported.
Type the following command and hit enter:
keytool -list -keystore /bsc/campusMgr/.keystore -alias <IP_ADDRESS>_server_pub
-
When prompted for password, leave it blank and hit enter
Example output:
<IP_ADDRESS>_server_pub, Jun 1, 2023, trustedCertEntry,
Certificate fingerprint (SHA1): B5:33:2B:48:A2:B5:A9:7C:9B:93:36:6D:49:C1:F0:C7:18:32:DB:92
Validate:
Once the certificates have been imported, review the list of alias names for the certificates installed in each appliance’s keystore:
keytool -list -v -keystore /bsc/campusMgr/.keystore -storepass ^8Bradford%23 | grep -i "server_pub"
FortiNAC Manager: Keystore should now have the IPs of all managed appliances.
Managed appliances: Keystore should now have the Manager IP(s).
Delete Instructions:
To remove an imported certificate for any reason, type the following and hit enter:
keytool -delete -alias <IP_ADDRESS>_server_pub -keystore /bsc/campusMgr/.keystore -storepass ^8Bradford%23
Where "<IP_ADDRESS>" is the IP address of the system the certificate came from.Example:
keytool -delete -alias 10.1.1.1_server_pub -keystore /bsc/campusMgr/.keystore -storepass ^8Bradford%23