Fortinet black logo

Handbook

Importing CAs

Importing CAs

The certificate authority (CA) store is used to authenticate the certificates of other devices. When the FortiADC system is presented with a certificate, it examines the CA’s signature, comparing it with the copy of the CA’s certificate already imported into the CA store. If the public key matches the private key, the client's or device’s certificate is considered legitimate.

In web browsers, the CA store includes trusted root CAs that can be used to establish trust with servers that have certificates signed by the issuing CAs. In an SSL forward proxy deployment, FortiADC acts as a proxy for the client, so you might want to import client browser CAs, create a CA group, and create a certficate verification policy to verify server certificates against this group. You can examine the CA store in common web browsers to come up with a good list of CAs to download and then import. The following list has links for some common web browsers:

You must do one of the following:

  • Import the certificates of the signing CA and all intermediate CAs to FortiADC’s store of CA certificates.
  • In all personal certificates, include the full signing chain up to a CA that FortiADC knows in order to prove that the clients’ certificates should be trusted.
  • If the signing CA is not known, that CA’s own certificate must likewise be signed by one or more other intermediary CAs, until both the FortiADC appliance and the client or device can demonstrate a signing chain that ultimately leads to a mutually trusted (shared “root”) CA that they have in common. Like a direct signature by a known CA, this proves that the certificate can be trusted.

Before you begin, you must:

  • Have Read-Write permission for System settings.
  • Know the URL of an SCEP server or have downloaded the certificate and key files and be able to browse to them so that you can upload them.
To import a CA:
  1. Go to System > Certificate > Verify.
  2. Click the CA tab.
  3. Click Import to display the configuration editor.
  4. Complete the configuration as described in CA import configuration.
  5. Click Save when done.
  6. Repeat Steps 3 through 5 to import as many CAs as needed.

CA import configuration

Settings Guidelines
Certificate Name Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. The maximum length is 35 characters. No space is allowed.
Import Method
  • SCEP—Use Simple Certificate Enrollment Protocol. SCEP allows routers and other intermediary network devices to obtain certificates.
  • File—Upload a file.
SCEP
SCEP URL Enter the URL of the SCEP server.
CA Identifier Enter the identifier for a specific CA on the SCEP server.
File
Local PC Browse for the certificate file on the local machine and upload it to FortiADC.

Importing CAs

The certificate authority (CA) store is used to authenticate the certificates of other devices. When the FortiADC system is presented with a certificate, it examines the CA’s signature, comparing it with the copy of the CA’s certificate already imported into the CA store. If the public key matches the private key, the client's or device’s certificate is considered legitimate.

In web browsers, the CA store includes trusted root CAs that can be used to establish trust with servers that have certificates signed by the issuing CAs. In an SSL forward proxy deployment, FortiADC acts as a proxy for the client, so you might want to import client browser CAs, create a CA group, and create a certficate verification policy to verify server certificates against this group. You can examine the CA store in common web browsers to come up with a good list of CAs to download and then import. The following list has links for some common web browsers:

You must do one of the following:

  • Import the certificates of the signing CA and all intermediate CAs to FortiADC’s store of CA certificates.
  • In all personal certificates, include the full signing chain up to a CA that FortiADC knows in order to prove that the clients’ certificates should be trusted.
  • If the signing CA is not known, that CA’s own certificate must likewise be signed by one or more other intermediary CAs, until both the FortiADC appliance and the client or device can demonstrate a signing chain that ultimately leads to a mutually trusted (shared “root”) CA that they have in common. Like a direct signature by a known CA, this proves that the certificate can be trusted.

Before you begin, you must:

  • Have Read-Write permission for System settings.
  • Know the URL of an SCEP server or have downloaded the certificate and key files and be able to browse to them so that you can upload them.
To import a CA:
  1. Go to System > Certificate > Verify.
  2. Click the CA tab.
  3. Click Import to display the configuration editor.
  4. Complete the configuration as described in CA import configuration.
  5. Click Save when done.
  6. Repeat Steps 3 through 5 to import as many CAs as needed.

CA import configuration

Settings Guidelines
Certificate Name Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. The maximum length is 35 characters. No space is allowed.
Import Method
  • SCEP—Use Simple Certificate Enrollment Protocol. SCEP allows routers and other intermediary network devices to obtain certificates.
  • File—Upload a file.
SCEP
SCEP URL Enter the URL of the SCEP server.
CA Identifier Enter the identifier for a specific CA on the SCEP server.
File
Local PC Browse for the certificate file on the local machine and upload it to FortiADC.