Installing a CA root certificate and CRL to authenticate remote clients
When you apply for a signed personal or group certificate to install on remote clients, you can obtain the corresponding root certificate and CRL from the issuing CA. When you receive the signed personal or group certificate, install the signed certificate on the remote client(s) according to the browser documentation. Install the corresponding root certificate (and CRL) from the issuing CA on the FortiGate unit according to the procedures given below.
To install a CA root certificate
1. After you download the root certificate of the CA, save the certificate on the management computer. Or, you can use online SCEP to retrieve the certificate.
2. On the FortiGate unit, go to System > Certificates > Import > CA Certificates.
3. Do one of the following:
- To import using SCEP, select SCEP. Enter the URL of the SCEP server from which to retrieve the CA
certificate. Optionally, enter identifying information of the CA, such as the filename.
- To import from a file, select Local PC, then select Browse and find the location on the management computer where the certificate has been saved. Select the certificate, and then select Open.
5. Select OK, and then select Return.
The system assigns a unique name to each CA certificate. The names are numbered consecutively (CA_Cert_1, CA_Cert_2, CA_Cert_3, and so on).
To import a certificate revocation list
A Certificate Revocation List (CRL) is a list of the CA certificate subscribers paired with certificate status information. The list contains the revoked certificates and the reason(s) for revocation. It also records the certificate issue dates and the CAs that issued them.
When configured to support SSL VPNs, the FortiGate unit uses the CRL to ensure that the certificates belonging to the CA and remote peers or clients are valid. The CRL has an “effective date” and a “next update” date. The interval is typically 7 days (for Microsoft CA). FortiOS will update the CRL automatically. Also, there is a CLI command to specify an “update-interval” in seconds. Recommendation should be 24 hours (86400 seconds) but depends on company security policy.
1. After you download the CRL from the CA web site, save the CRL on the management computer.
2. Go to System > Certificates > Import > CRL.
3. Do one of the following:
- To import using an HTTP server, select HTTP and enter the URL of the HTTP server.
- To import using an LDAP server see this KB article.
- To import using an SCEP server, select SCEP and select the Local Certificate from the list. Enter the URL of the SCEP server from which the CRL can be retrieved.
- To import from a file, select Local PC, then select Browse and find the location on the management computer where the CRL has been saved. Select the CRL and then select Open.
5. Select OK, and then select Return.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
What version of FortiOS is this? Can I assume this is valid for the import of on-prem ADCS root certs? Also, do the Fortigates not ship with the standard well-trusted CA certs, like Microsoft, GoDaddy, Verisign? ‘Cause I don’t see those in System > Certificates. In your SSL inspection video, you said the Fortigate interposes itself in the path between SSL-enabled server and the client … so it must be able to validate the trust chain for the external web server … meaning it must a priori trust those well-known cert authorities, no?