Fortinet black logo

Administration Guide

SSL

Copy Link
Copy Doc ID 62d32790-0451-11ec-8f3f-00505692583a:163708
Download PDF

SSL

You can set strong cryptography and select which certificates are used by the FortiSwitch unit.

Using the GUI:
  1. Go to System > Config > SSL.
  2. Select Strong Crypto to use strong cryptography for HTTPS and SSH access.
  3. Select one of the 802.1x certificate options:
    • Entrust_802.1x—This certificate is embedded in the firmware and is the same on every unit (not unique). It has been signed by a public CA. This is the default certificate for 802.1x authentication.
    • Fortinet_Factory—This certificate is embedded in the hardware at the factory and is unique to this unit. It has been signed by a proper CA.
    • Fortinet_Factory2—This certificate is embedded in the hardware at the factory and is unique to this unit. It has been signed by a proper CA.
    • Fortinet_Firmware—This certificate is embedded in the firmware and is the same on every unit (not unique). It has been signed by a proper CA. It is not recommended to use it for server-type functionality since any other unit could use this same certificate to spoof the identity of this unit.
  4. Select one of the 802.1x certificate authority (CA) options:
    • Entrust_802.1x_CA—Select this CA if you are using 802.1x authentication.
    • Entrust_802.1x_G2_CA—Select this CA if you want to use the Google Internet Authority G2.
    • Entrust_802.1x_L1K_CA—Select this CA if you want to use http://ocsp.entrust.net.
    • Fortinet_CA—Select this CA if you want to use the factory-installed certificate.
    • Fortinet_CA2—Select this CA if you want to use the factory-installed certificate.
  5. Select one of the GUI HTTPS certificate options:
    • Entrust_802.1x—This certificate is embedded in the firmware and is the same on every unit (not unique). It has been signed by a public CA.
    • Fortinet_Factory—This certificate is embedded in the hardware at the factory and is unique to this unit. It has been signed by a proper CA.
    • Fortinet_Factory2—This certificate is embedded in the hardware at the factory and is unique to this unit. It has been signed by a proper CA.
    • Fortinet_Firmware—This certificate is embedded in the firmware and is the same on every unit (not unique). It has been signed by a proper CA. It is not recommended to use it for server-type functionality since any other unit could use this same certificate to spoof the identity of this unit.
  6. Select Update.
Using the CLI:

config system global

set strong-crypto {enable | disable}

set 802.1x-certificate {Entrust_802.1x | Fortinet_Factory | Fortinet_Factory2 | Fortinet_Firmware}

set 802.1x-ca-certificate {Entrust_802.1x_CA | Entrust_802.1x_G2_CA | Entrust_802.1x_L1K_CA | Fortinet_CA | Fortinet_CA2}

set admin-server-cert {self-sign | Entrust_802.1x | Fortinet_Factory | Fortinet_Factory2 | Fortinet_Firmware}

end

SSL

You can set strong cryptography and select which certificates are used by the FortiSwitch unit.

Using the GUI:
  1. Go to System > Config > SSL.
  2. Select Strong Crypto to use strong cryptography for HTTPS and SSH access.
  3. Select one of the 802.1x certificate options:
    • Entrust_802.1x—This certificate is embedded in the firmware and is the same on every unit (not unique). It has been signed by a public CA. This is the default certificate for 802.1x authentication.
    • Fortinet_Factory—This certificate is embedded in the hardware at the factory and is unique to this unit. It has been signed by a proper CA.
    • Fortinet_Factory2—This certificate is embedded in the hardware at the factory and is unique to this unit. It has been signed by a proper CA.
    • Fortinet_Firmware—This certificate is embedded in the firmware and is the same on every unit (not unique). It has been signed by a proper CA. It is not recommended to use it for server-type functionality since any other unit could use this same certificate to spoof the identity of this unit.
  4. Select one of the 802.1x certificate authority (CA) options:
    • Entrust_802.1x_CA—Select this CA if you are using 802.1x authentication.
    • Entrust_802.1x_G2_CA—Select this CA if you want to use the Google Internet Authority G2.
    • Entrust_802.1x_L1K_CA—Select this CA if you want to use http://ocsp.entrust.net.
    • Fortinet_CA—Select this CA if you want to use the factory-installed certificate.
    • Fortinet_CA2—Select this CA if you want to use the factory-installed certificate.
  5. Select one of the GUI HTTPS certificate options:
    • Entrust_802.1x—This certificate is embedded in the firmware and is the same on every unit (not unique). It has been signed by a public CA.
    • Fortinet_Factory—This certificate is embedded in the hardware at the factory and is unique to this unit. It has been signed by a proper CA.
    • Fortinet_Factory2—This certificate is embedded in the hardware at the factory and is unique to this unit. It has been signed by a proper CA.
    • Fortinet_Firmware—This certificate is embedded in the firmware and is the same on every unit (not unique). It has been signed by a proper CA. It is not recommended to use it for server-type functionality since any other unit could use this same certificate to spoof the identity of this unit.
  6. Select Update.
Using the CLI:

config system global

set strong-crypto {enable | disable}

set 802.1x-certificate {Entrust_802.1x | Fortinet_Factory | Fortinet_Factory2 | Fortinet_Firmware}

set 802.1x-ca-certificate {Entrust_802.1x_CA | Entrust_802.1x_G2_CA | Entrust_802.1x_L1K_CA | Fortinet_CA | Fortinet_CA2}

set admin-server-cert {self-sign | Entrust_802.1x | Fortinet_Factory | Fortinet_Factory2 | Fortinet_Firmware}

end