Fortinet white logo
Fortinet white logo

FortiVoice Phone System Administration Guide

Managing certificates

Managing certificates

This section explains how to manage X.509 security certificates using the FortiVoice GUI. Using the System > Certificate menu, you can generate certificate requests, install signed certificates, import CA root certificates and certificate revocation lists, and back up and restore installed certificates and private keys.

The FortiVoice unit uses certificates for PKI authentication in secure connections. PKI authentication is the process of determining if a remote host can be trusted with access to network resources. To establish its trustworthiness, the remote host must provide an acceptable authentication certificate by obtaining a certificate from a certification authority (CA).

You can manage the following types of certificates on the FortiVoice unit:

Certificate type

Usage

Server certificates

The FortiVoice unit must present its local server certificate for the following secure connections:

  • the GUI (HTTPS connections only)
  • phone user portal (HTTPS connections only)
  • phone and FortiVoice unit (TLS and SRTP connections only), see Configuring SIP profiles.

For details, see Managing local certificates.

CA certificates

The FortiVoice unit uses CA certificates to authenticate the PKI users, including administrators and phone users. For details, see Managing certificate authority certificates.

Personal certificates

Phone users’ personal certificates are used for S/MIME encryption.

OCSP server certificates

View and import the certificates of the online certificate status protocol (OCSP) servers of your certificate authority (CA). For details, see Managing OCSP server certificates.

APNs certificates

View and import the Apple Push Notification service (APNs) and VoIP services certificates. For details, see Managing APNs and VoIP services certificates.

This section contains the following topics:

Managing local certificates

System > Certificate > Local Certificate displays both the signed server certificates and unsigned certificate requests.

On this tab, you can also generate certificate signing requests and import signed certificates in order to install them for local use by the FortiVoice unit.

FortiVoice units require a local server certificate that it can present when clients request secure connections, including:

  • the GUI (HTTPS connections only)
  • phone user web interface (HTTPS connections only)

To view local certificates, go to System > Certificate > Local Certificate.

GUI field

Description

View

Select a certificate and click View to display its issuer, subject, and range of dates within which the certificate is valid.

Generate

Click to generate a local certificate request. For more information, see Generating a certificate signing request.

Download

Click the row of a certificate file or certificate request file in order to select it, then click this button and select either:

Assign to

Assign a local certificate to a service. For details, see Assigning a local certificate to a service.

Import

Click to import a signed certificate for local use. For more information, see Importing a certificate.

Obtaining and installing a local certificate

There are two methods to obtain and install a local certificate:

  • If you already have a signed server certificate (a backup certificate, a certificate exported from other devices, and so on), you can import the certificate into the FortiVoice unit. For details, see Importing a certificate and Assigning a local certificate to a service.
  • Generate a certificate signing request on the FortiVoice unit, get the request signed by a CA, and import the signed certificate into the FortiVoice unit.

For the second method, follow these steps:

Generating a certificate signing request

You can generate a certificate request file, based on the information you enter to identify the FortiVoice unit. Certificate request files can then be submitted for verification and signing by a certificate authority (CA).

For other related steps, see Obtaining and installing a local certificate.

To generate a certificate request

  1. Go to System >Certificate > Local Certificate.
  2. Click Generate.
  3. Configure the following:

    GUI field

    Description

    Certification name

    Enter a unique name for the certificate request, such as fvlocal.

    Subject Information

    Information that the certificate is required to contain in order to uniquely identify the FortiVoice unit.

    Certification name

    Select the type of identifier to be used in the certificate to identify the FortiVoice unit:

    • Host IP
    • Domain name
    • E-mail

    Which type you should select varies by whether or not your FortiVoice unit has a static IP address, a fully-qualified domain name (FQDN), and by the primary intended use of the certificate.

    For example, if your FortiVoice unit has both a static IP address and a domain name, but you will primarily use the local certificate for HTTPS connections to the GUI by the domain name of the FortiVoice unit, you might prefer to generate a certificate based on the domain name of the FortiVoice unit, rather than its IP address.

    • Host IP requires that the FortiVoice unit have a static, public IP address. It may be preferable if clients will be accessing the FortiVoice unit primarily by its IP address.
    • Domain name requires that the FortiVoice unit have a fully-qualified domain name (FQDN). It may be preferable if clients will be accessing the FortiVoice unit primarily by its domain name.
    • E-mail does not require either a static IP address or a domain name. It may be preferable if the FortiVoice unit does not have a domain name or public IP address.

    IP

    Enter the static IP address of the FortiVoice unit.

    This option appears only if ID type is Host IP.

    Domain name

    Type the fully-qualified domain name (FQDN) of the FortiVoice unit.

    The domain name may resolve to either a static or, if the FortiVoice unit is configured to use a dynamic DNS service, a dynamic IP address. For more information, see Configuring the network interfaces and Configuring DNS.

    If a domain name is not available and the FortiVoice unit subscribes to a dynamic DNS service, an unable to verify certificate message may appear in the user’s browser whenever the public IP address of the FortiVoice unit changes.

    This option appears only if ID type is Domain name.

    E-mail

    Type the email address of the owner of the FortiVoice unit.

    This option appears only if ID type is E-mail.

    Optional Information

    Information that you may include in the certificate, but which is not required.

    Organization unit

    Type the name of your organizational unit, such as the name of your department (Optional), and click >>.

    You may enter more than one organizational unit name.

    Organization

    Type the legal name of your organization. (Optional)

    Locality (City)

    Type the name of the city or town where the FortiVoice unit is located. (Optional)

    State/Province

    Type the name of the state or province where the FortiVoice unit is located. (Optional)

    Country

    Select the name of the country where the FortiVoice unit is located. (Optional)

    E-mail

    Type an email address that may be used for contact purposes. (Optional)

    Key type

    Displays the type of algorithm used to generate the key.

    This option cannot be changed, but appears in order to indicate that only RSA is currently supported.

    Key size

    Select a security key size of 512 Bit, 1024 Bit, 1536 Bit or 2048 Bit. Larger keys are slower to generate, but provide better security.

  4. Click Create.

    The certificate is generated, and can be downloaded to your management computer for submission to a certificate authority (CA) for signing. For more information, see Downloading a certificate signing request.

Downloading a certificate signing request

After you have generated a certificate request, you can download the request file to your management computer in order to submit the request file to a certificate authority (CA) for signing.

For other related steps, see Obtaining and installing a local certificate.

To download a certificate request

  1. Go to System > Certificate > Local Certificate.
  2. Click the row that corresponds to the certificate request in order to select it.
  3. Click Download, then select Download from the pop-up menu.

    Your web browser downloads the certificate request (.csr) file.

Submitting a certificate request to your CA for signing

After you download the certificate request file, you can submit the request to you CA for signing.

For other related steps, see Obtaining and installing a local certificate.

To submit a certificate request

  1. Using the web browser on the management computer, browse to the website for your CA.
  2. Follow your CA’s instructions to place a Base64-encoded PKCS #12 certificate request, uploading your certificate request.
  3. Follow your CA’s instructions to download their root certificate and Certificate Revocation List (CRL), and then install the root certificate and CRL on each remote client.
  4. When you receive the signed certificate from the CA, install the certificate on the FortiVoice unit. For more information, see Importing a certificate.

Importing a certificate

You can upload Base64-encoded certificates in either privacy-enhanced email (PEM) or public key cryptography standard #12 (PKCS #12) format from your management computer to the FortiVoice unit.

Importing a certificate may be useful when:

  • restoring a certificate backup
  • installing a certificate that has been generated on another system
  • installing a certificate, after the certificate request has been generated on the FortiVoice unit and signed by a certificate authority (CA)

If you generated the certificate request using the FortiVoice unit, after you submit the certificate request to CA, the CA will verify the information and register the contact information in a digital certificate that contains a serial number, an expiration date, and the public key of the CA. The CA will then sign the certificate and return it to you for installation on the FortiVoice unit. To install the certificate, you must import it. For other related steps, see Obtaining and installing a local certificate.

If the FortiVoice unit’s local certificate is signed by an intermediate CA rather than a root CA, before clients will trust the FortiVoice unit’s local certificate, you must demonstrate a link with trusted root CAs, thereby proving that the FortiVoice unit’s certificate is genuine. You can demonstrate this chain of trust either by:

  • installing each intermediate CA’s certificate in the client’s list of trusted CAs
  • including a signing chain in the FortiVoice unit’s local certificate

To include a signing chain, before importing the local certificate to the FortiVoice unit, first open the FortiVoice unit’s local certificate file in a plain text editor, append the certificate of each intermediate CA in order from the intermediate CA who signed the FortiVoice unit’s certificate to the intermediate CA whose certificate was signed directly by a trusted root CA, then save the certificate. For example, a local certificate which includes a signing chain might use the following structure:

-----BEGIN CERTIFICATE-----

<FortiVoice unit’s local server certificate>

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

<certificate of intermediate CA 1, who signed the FortiVoice certificate>

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

<certificate of intermediate CA 2, who signed the certificate of intermediate CA 1 and whose certificate was signed by a trusted root CA>

-----END CERTIFICATE-----

To import a local certificate

  1. Go to System > Certificate > Local Certificate.
  2. Click Import.
  3. Select the type of the import file or files:
    • PKCS12 Certificate: Select this option if you are importing an existing certificate whose certificate file and private key are stored in a PKCS #12 (.p12) password-encrypted file.
    • Certificate: Select this option if you are importing an existing certificate whose certificate file (.cert) and key file (.key) are stored separately. The private key is password-encrypted.
  4. For Certificate, configure the following:
    • Certificate name: Enter the name of the certificate.
    • Certificate file: Click Import to locate and import the file.
    • Key file: Click Import to locate and import the file.
    • Password: Enter the password that was used to encrypt the file, enabling the FortiVoice unit to decrypt and install the certificate.
  5. Click OK.

Assigning a local certificate to a service

You can assign a local certificate to one or more services (HTTPS, LDAPS, SIP TLS, and SIP WSS), as applicable.

  1. Go to System > Certificate > Local Certificate.
  2. To select the certificate, click the row in the certificate table.
  3. Click Assign to.
  4. From the Predefined list, select the service, and click >> to move this service to the Selected list.
  5. Click OK.
  6. If the change is for an LDAPS, SIP TLS, or SIP WSS service, all active calls will be disconnected to apply the certificate change. To confirm the service change, click Yes.
  7. If the change is for the HTTPS service, the FortiVoice GUI asks you to perform the following steps:
    1. To confirm the service change, click Yes.
    2. To reload the FortiVoice GUI, press OK.
    3. Wait for a few seconds.
    4. If the reload is unsuccessful, reload the FortiVoice GUI in your web browser.

Downloading a PKCS #12 certificate

You can export certificates from the FortiVoice unit to a PKCS #12 file for secure download and import to another platform, or for backup purposes.

To download a PKCS #12 file

  1. Go to System > Certificate > Local Certificate.
  2. Click the row that corresponds to the certificate in order to select it.
  3. Click Download, then select Download PKCS12 File on the pop-up menu.

    A dialog appears.

  4. In Password and Confirm password, enter the password that will be used to encrypt the exported certificate file. The password must be at least four characters long.
  5. Click OK.
  6. If your browser prompts you for a location to save the file, select a location.
  7. Your web browser downloads the PKCS #12 (.p12) file. For information on importing a PKCS #12 file, see Importing a certificate.

Managing certificate authority certificates

Go to System > Certificate > CA Certificate to view and import certificates for certificate authorities (CA).

Certificate authorities validate and sign other certificates in order to indicate to third parties that those other certificates may be trusted to be authentic.

CA certificates are required by connections that use transport layer security (TLS), and by S/MIME encryption. Depending on the configuration of each PKI user, CA certificates may also be required to authenticate PKI users.

To view the list of CA certificates, go to System > Certificate > CA Certificate. You can remove, view, download, or import a CA certificate.

Managing the certificate revocation list

The Certificate Revocation List tab lets you view and import certificate revocation lists.

To ensure that your FortiVoice unit validates only valid (not revoked) certificates, you should periodically upload a current certificate revocation list, which may be provided by certificate authorities (CA).

To view remote certificates, go to System >Certificate > Certificate Revocation List. You can remove, view, download, or import a certificate revocation list.

Managing OCSP server certificates

Go to System > Certificate > Remote to view and import the certificates of the online certificate status protocol (OCSP) servers of your certificate authority (CA).

OCSP lets you revoke or validate certificates by query, rather than by importing certificate revocation lists (CRL). For information about importing CRLs, see Managing the certificate revocation list.

Remote certificates are required if you enable OCSP for PKI users.

To view the list of remote certificates, go to System > Certificate > Remote.

GUI field

Description

View

Select a certificate and click View to display certificate details including the certificate name, issuer, subject, and the range of dates within which the certificate is valid.

Download

Click the row of a certificate in order to select it, then click Download to save a copy of the OCSP server certificate (.cer).

Import

Click to import an OCSP server certificate.

Name

Displays the name of the OCSP server certificate.

Subject

Displays the Distinguished Name (DN) located in the Subject field of the certificate.

Managing APNs and VoIP services certificates

An Apple iPhone using the FortiFone softclient for iOS requires a connection to the Apple Push Notification service (APNs).

To connect with APNs, FortiVoice supports the following methods:

  • Token-based connection: This method is the default.
  • Certificate-based connection: FortiVoice can use this method as a fallback. If you need to disable the token-based connection, use the following CLI commands:

    config system notification-service

    set ios-notification-token disable

    show full

    end

If FortiVoice uses a certificate-based connection, the FortiFone softclient for iOS requires the following certificates on the FortiVoice phone system:

  • Apple Push Notification service (APNs): Used to receive notification messages. The certificate name is fortifone.push.

  • VoIP services: Used to receive incoming calls. The certificate name is fortifone.voip.

To view the list of APNs and VoIP services certificates, go to System > Certificate > APNS Push Certificate.

GUI field

Description

Name

Displays the certificate name (fortifone.push or fortifone.voip).

Subject

Displays details of the entity associated with the certificate.

Expiration

Indicates the expiration status of the certificates:

  • Green icon: The certificate is valid.

  • Orange icon: The certificate expires in 30 days.

  • Red icon: The certificate is expired.

To view details about APNs and VoIP services certificates

  1. Go to System > Certificate > APNS Push Certificate.
  2. Select a certificate and click View.

    You can access the following details:

    • Certificate Name is either fortifone.push or fortifone.voip.

    • Issuer is the authority who has signed and issued the certificate.

    • Subject is the entity associated with the certificate.

    • Valid from and Valid to specifies the period that the certificate is valid.

To import APNs and VoIP services certificates

  1. Prior to the expiry of the certificates, contact Fortinet Support to start the process to obtain new certificates (fortifone.push and fortifone.voip).
    Note

    Importing an APNs certificate or a VoIP services certificate replaces an existing certificate.

    You cannot delete a certificate.

  2. With your assistance, a Fortinet Support representative will remotely access the FortiVoice phone system (System > Certificate > APNS Push Certificate) to import the new certificates.

Managing certificates

Managing certificates

This section explains how to manage X.509 security certificates using the FortiVoice GUI. Using the System > Certificate menu, you can generate certificate requests, install signed certificates, import CA root certificates and certificate revocation lists, and back up and restore installed certificates and private keys.

The FortiVoice unit uses certificates for PKI authentication in secure connections. PKI authentication is the process of determining if a remote host can be trusted with access to network resources. To establish its trustworthiness, the remote host must provide an acceptable authentication certificate by obtaining a certificate from a certification authority (CA).

You can manage the following types of certificates on the FortiVoice unit:

Certificate type

Usage

Server certificates

The FortiVoice unit must present its local server certificate for the following secure connections:

  • the GUI (HTTPS connections only)
  • phone user portal (HTTPS connections only)
  • phone and FortiVoice unit (TLS and SRTP connections only), see Configuring SIP profiles.

For details, see Managing local certificates.

CA certificates

The FortiVoice unit uses CA certificates to authenticate the PKI users, including administrators and phone users. For details, see Managing certificate authority certificates.

Personal certificates

Phone users’ personal certificates are used for S/MIME encryption.

OCSP server certificates

View and import the certificates of the online certificate status protocol (OCSP) servers of your certificate authority (CA). For details, see Managing OCSP server certificates.

APNs certificates

View and import the Apple Push Notification service (APNs) and VoIP services certificates. For details, see Managing APNs and VoIP services certificates.

This section contains the following topics:

Managing local certificates

System > Certificate > Local Certificate displays both the signed server certificates and unsigned certificate requests.

On this tab, you can also generate certificate signing requests and import signed certificates in order to install them for local use by the FortiVoice unit.

FortiVoice units require a local server certificate that it can present when clients request secure connections, including:

  • the GUI (HTTPS connections only)
  • phone user web interface (HTTPS connections only)

To view local certificates, go to System > Certificate > Local Certificate.

GUI field

Description

View

Select a certificate and click View to display its issuer, subject, and range of dates within which the certificate is valid.

Generate

Click to generate a local certificate request. For more information, see Generating a certificate signing request.

Download

Click the row of a certificate file or certificate request file in order to select it, then click this button and select either:

Assign to

Assign a local certificate to a service. For details, see Assigning a local certificate to a service.

Import

Click to import a signed certificate for local use. For more information, see Importing a certificate.

Obtaining and installing a local certificate

There are two methods to obtain and install a local certificate:

  • If you already have a signed server certificate (a backup certificate, a certificate exported from other devices, and so on), you can import the certificate into the FortiVoice unit. For details, see Importing a certificate and Assigning a local certificate to a service.
  • Generate a certificate signing request on the FortiVoice unit, get the request signed by a CA, and import the signed certificate into the FortiVoice unit.

For the second method, follow these steps:

Generating a certificate signing request

You can generate a certificate request file, based on the information you enter to identify the FortiVoice unit. Certificate request files can then be submitted for verification and signing by a certificate authority (CA).

For other related steps, see Obtaining and installing a local certificate.

To generate a certificate request

  1. Go to System >Certificate > Local Certificate.
  2. Click Generate.
  3. Configure the following:

    GUI field

    Description

    Certification name

    Enter a unique name for the certificate request, such as fvlocal.

    Subject Information

    Information that the certificate is required to contain in order to uniquely identify the FortiVoice unit.

    Certification name

    Select the type of identifier to be used in the certificate to identify the FortiVoice unit:

    • Host IP
    • Domain name
    • E-mail

    Which type you should select varies by whether or not your FortiVoice unit has a static IP address, a fully-qualified domain name (FQDN), and by the primary intended use of the certificate.

    For example, if your FortiVoice unit has both a static IP address and a domain name, but you will primarily use the local certificate for HTTPS connections to the GUI by the domain name of the FortiVoice unit, you might prefer to generate a certificate based on the domain name of the FortiVoice unit, rather than its IP address.

    • Host IP requires that the FortiVoice unit have a static, public IP address. It may be preferable if clients will be accessing the FortiVoice unit primarily by its IP address.
    • Domain name requires that the FortiVoice unit have a fully-qualified domain name (FQDN). It may be preferable if clients will be accessing the FortiVoice unit primarily by its domain name.
    • E-mail does not require either a static IP address or a domain name. It may be preferable if the FortiVoice unit does not have a domain name or public IP address.

    IP

    Enter the static IP address of the FortiVoice unit.

    This option appears only if ID type is Host IP.

    Domain name

    Type the fully-qualified domain name (FQDN) of the FortiVoice unit.

    The domain name may resolve to either a static or, if the FortiVoice unit is configured to use a dynamic DNS service, a dynamic IP address. For more information, see Configuring the network interfaces and Configuring DNS.

    If a domain name is not available and the FortiVoice unit subscribes to a dynamic DNS service, an unable to verify certificate message may appear in the user’s browser whenever the public IP address of the FortiVoice unit changes.

    This option appears only if ID type is Domain name.

    E-mail

    Type the email address of the owner of the FortiVoice unit.

    This option appears only if ID type is E-mail.

    Optional Information

    Information that you may include in the certificate, but which is not required.

    Organization unit

    Type the name of your organizational unit, such as the name of your department (Optional), and click >>.

    You may enter more than one organizational unit name.

    Organization

    Type the legal name of your organization. (Optional)

    Locality (City)

    Type the name of the city or town where the FortiVoice unit is located. (Optional)

    State/Province

    Type the name of the state or province where the FortiVoice unit is located. (Optional)

    Country

    Select the name of the country where the FortiVoice unit is located. (Optional)

    E-mail

    Type an email address that may be used for contact purposes. (Optional)

    Key type

    Displays the type of algorithm used to generate the key.

    This option cannot be changed, but appears in order to indicate that only RSA is currently supported.

    Key size

    Select a security key size of 512 Bit, 1024 Bit, 1536 Bit or 2048 Bit. Larger keys are slower to generate, but provide better security.

  4. Click Create.

    The certificate is generated, and can be downloaded to your management computer for submission to a certificate authority (CA) for signing. For more information, see Downloading a certificate signing request.

Downloading a certificate signing request

After you have generated a certificate request, you can download the request file to your management computer in order to submit the request file to a certificate authority (CA) for signing.

For other related steps, see Obtaining and installing a local certificate.

To download a certificate request

  1. Go to System > Certificate > Local Certificate.
  2. Click the row that corresponds to the certificate request in order to select it.
  3. Click Download, then select Download from the pop-up menu.

    Your web browser downloads the certificate request (.csr) file.

Submitting a certificate request to your CA for signing

After you download the certificate request file, you can submit the request to you CA for signing.

For other related steps, see Obtaining and installing a local certificate.

To submit a certificate request

  1. Using the web browser on the management computer, browse to the website for your CA.
  2. Follow your CA’s instructions to place a Base64-encoded PKCS #12 certificate request, uploading your certificate request.
  3. Follow your CA’s instructions to download their root certificate and Certificate Revocation List (CRL), and then install the root certificate and CRL on each remote client.
  4. When you receive the signed certificate from the CA, install the certificate on the FortiVoice unit. For more information, see Importing a certificate.

Importing a certificate

You can upload Base64-encoded certificates in either privacy-enhanced email (PEM) or public key cryptography standard #12 (PKCS #12) format from your management computer to the FortiVoice unit.

Importing a certificate may be useful when:

  • restoring a certificate backup
  • installing a certificate that has been generated on another system
  • installing a certificate, after the certificate request has been generated on the FortiVoice unit and signed by a certificate authority (CA)

If you generated the certificate request using the FortiVoice unit, after you submit the certificate request to CA, the CA will verify the information and register the contact information in a digital certificate that contains a serial number, an expiration date, and the public key of the CA. The CA will then sign the certificate and return it to you for installation on the FortiVoice unit. To install the certificate, you must import it. For other related steps, see Obtaining and installing a local certificate.

If the FortiVoice unit’s local certificate is signed by an intermediate CA rather than a root CA, before clients will trust the FortiVoice unit’s local certificate, you must demonstrate a link with trusted root CAs, thereby proving that the FortiVoice unit’s certificate is genuine. You can demonstrate this chain of trust either by:

  • installing each intermediate CA’s certificate in the client’s list of trusted CAs
  • including a signing chain in the FortiVoice unit’s local certificate

To include a signing chain, before importing the local certificate to the FortiVoice unit, first open the FortiVoice unit’s local certificate file in a plain text editor, append the certificate of each intermediate CA in order from the intermediate CA who signed the FortiVoice unit’s certificate to the intermediate CA whose certificate was signed directly by a trusted root CA, then save the certificate. For example, a local certificate which includes a signing chain might use the following structure:

-----BEGIN CERTIFICATE-----

<FortiVoice unit’s local server certificate>

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

<certificate of intermediate CA 1, who signed the FortiVoice certificate>

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

<certificate of intermediate CA 2, who signed the certificate of intermediate CA 1 and whose certificate was signed by a trusted root CA>

-----END CERTIFICATE-----

To import a local certificate

  1. Go to System > Certificate > Local Certificate.
  2. Click Import.
  3. Select the type of the import file or files:
    • PKCS12 Certificate: Select this option if you are importing an existing certificate whose certificate file and private key are stored in a PKCS #12 (.p12) password-encrypted file.
    • Certificate: Select this option if you are importing an existing certificate whose certificate file (.cert) and key file (.key) are stored separately. The private key is password-encrypted.
  4. For Certificate, configure the following:
    • Certificate name: Enter the name of the certificate.
    • Certificate file: Click Import to locate and import the file.
    • Key file: Click Import to locate and import the file.
    • Password: Enter the password that was used to encrypt the file, enabling the FortiVoice unit to decrypt and install the certificate.
  5. Click OK.

Assigning a local certificate to a service

You can assign a local certificate to one or more services (HTTPS, LDAPS, SIP TLS, and SIP WSS), as applicable.

  1. Go to System > Certificate > Local Certificate.
  2. To select the certificate, click the row in the certificate table.
  3. Click Assign to.
  4. From the Predefined list, select the service, and click >> to move this service to the Selected list.
  5. Click OK.
  6. If the change is for an LDAPS, SIP TLS, or SIP WSS service, all active calls will be disconnected to apply the certificate change. To confirm the service change, click Yes.
  7. If the change is for the HTTPS service, the FortiVoice GUI asks you to perform the following steps:
    1. To confirm the service change, click Yes.
    2. To reload the FortiVoice GUI, press OK.
    3. Wait for a few seconds.
    4. If the reload is unsuccessful, reload the FortiVoice GUI in your web browser.

Downloading a PKCS #12 certificate

You can export certificates from the FortiVoice unit to a PKCS #12 file for secure download and import to another platform, or for backup purposes.

To download a PKCS #12 file

  1. Go to System > Certificate > Local Certificate.
  2. Click the row that corresponds to the certificate in order to select it.
  3. Click Download, then select Download PKCS12 File on the pop-up menu.

    A dialog appears.

  4. In Password and Confirm password, enter the password that will be used to encrypt the exported certificate file. The password must be at least four characters long.
  5. Click OK.
  6. If your browser prompts you for a location to save the file, select a location.
  7. Your web browser downloads the PKCS #12 (.p12) file. For information on importing a PKCS #12 file, see Importing a certificate.

Managing certificate authority certificates

Go to System > Certificate > CA Certificate to view and import certificates for certificate authorities (CA).

Certificate authorities validate and sign other certificates in order to indicate to third parties that those other certificates may be trusted to be authentic.

CA certificates are required by connections that use transport layer security (TLS), and by S/MIME encryption. Depending on the configuration of each PKI user, CA certificates may also be required to authenticate PKI users.

To view the list of CA certificates, go to System > Certificate > CA Certificate. You can remove, view, download, or import a CA certificate.

Managing the certificate revocation list

The Certificate Revocation List tab lets you view and import certificate revocation lists.

To ensure that your FortiVoice unit validates only valid (not revoked) certificates, you should periodically upload a current certificate revocation list, which may be provided by certificate authorities (CA).

To view remote certificates, go to System >Certificate > Certificate Revocation List. You can remove, view, download, or import a certificate revocation list.

Managing OCSP server certificates

Go to System > Certificate > Remote to view and import the certificates of the online certificate status protocol (OCSP) servers of your certificate authority (CA).

OCSP lets you revoke or validate certificates by query, rather than by importing certificate revocation lists (CRL). For information about importing CRLs, see Managing the certificate revocation list.

Remote certificates are required if you enable OCSP for PKI users.

To view the list of remote certificates, go to System > Certificate > Remote.

GUI field

Description

View

Select a certificate and click View to display certificate details including the certificate name, issuer, subject, and the range of dates within which the certificate is valid.

Download

Click the row of a certificate in order to select it, then click Download to save a copy of the OCSP server certificate (.cer).

Import

Click to import an OCSP server certificate.

Name

Displays the name of the OCSP server certificate.

Subject

Displays the Distinguished Name (DN) located in the Subject field of the certificate.

Managing APNs and VoIP services certificates

An Apple iPhone using the FortiFone softclient for iOS requires a connection to the Apple Push Notification service (APNs).

To connect with APNs, FortiVoice supports the following methods:

  • Token-based connection: This method is the default.
  • Certificate-based connection: FortiVoice can use this method as a fallback. If you need to disable the token-based connection, use the following CLI commands:

    config system notification-service

    set ios-notification-token disable

    show full

    end

If FortiVoice uses a certificate-based connection, the FortiFone softclient for iOS requires the following certificates on the FortiVoice phone system:

  • Apple Push Notification service (APNs): Used to receive notification messages. The certificate name is fortifone.push.

  • VoIP services: Used to receive incoming calls. The certificate name is fortifone.voip.

To view the list of APNs and VoIP services certificates, go to System > Certificate > APNS Push Certificate.

GUI field

Description

Name

Displays the certificate name (fortifone.push or fortifone.voip).

Subject

Displays details of the entity associated with the certificate.

Expiration

Indicates the expiration status of the certificates:

  • Green icon: The certificate is valid.

  • Orange icon: The certificate expires in 30 days.

  • Red icon: The certificate is expired.

To view details about APNs and VoIP services certificates

  1. Go to System > Certificate > APNS Push Certificate.
  2. Select a certificate and click View.

    You can access the following details:

    • Certificate Name is either fortifone.push or fortifone.voip.

    • Issuer is the authority who has signed and issued the certificate.

    • Subject is the entity associated with the certificate.

    • Valid from and Valid to specifies the period that the certificate is valid.

To import APNs and VoIP services certificates

  1. Prior to the expiry of the certificates, contact Fortinet Support to start the process to obtain new certificates (fortifone.push and fortifone.voip).
    Note

    Importing an APNs certificate or a VoIP services certificate replaces an existing certificate.

    You cannot delete a certificate.

  2. With your assistance, a Fortinet Support representative will remotely access the FortiVoice phone system (System > Certificate > APNS Push Certificate) to import the new certificates.