Setting the certificates used by the Fortigate

Admin Server Certificate

This is the certificate presented upon logging into the Fortigate for administrative access.

config system global
set admin-server-cert CustomCert
end

Authentication Certificate

This is the certificate used when the Fortigate needs to authenticate a user when they are visiting an HTTPS page.

config system global
set auth-cert CustomCert
end

Blocked page certificate

This is the certificate used to display the blocked page message when a user visits an https blocked page:

config system global
set user-server-cert CustomCert
end

 

 Authentication Server Redirect page

When a user needs to authenticate they will be redirected to the Fortigate auth page via it’s IP address, it the server certificate was issued with CN=domain name then the invalid certificate message will be displayed, you’ll want to redirect the auth page to it’s domain name in order to match the certificate. This is configured in the firewall policy when the identity based option is selected

config firewall policy
edit <policyID>
set auth-redirect-addr fortigatename.domain.com
end

SSL VPN Certificate

This is the certificate users will be presented with when accessing the SSL VPN:

config vpn ssl settings
set servercert CustomCert
end

SSL Proxy Certificate

This is the certificate used to perform the man-in-the-middle attack when HTTPS deep inspection is turned on. This must be a key signing certificate:

config firewall ssl setting
set caname CustomCert
end

 

Leave a Reply