Fortinet black logo

EMS Administration Guide

Server Certificates

Server Certificates

You can view and manage certificates from the Server Certificates page.

EMS supports the following certificate types:

Type

Description

Default

EMS uses this certificate when there are no other available certificates. You cannot delete this certificate. Using the other certificate types is recommended. When other certificates are present, you cannot select the default certificate for use.

Uploaded

User-uploaded certificates. You can upload certificates in PEM, DER, or PKCS12 format. See Adding an SSL certificate to FortiClient EMS.

ACME

The public Let's Encrypt certificate authority uses the Automated Certificate Management Environment (ACME), as defined in RFC 8555 to provide free SSL server certificates. You can configure FortiClient EMS to use certificates that Let's Encrypt manages and other certificate management services that use the ACME protocol. See Adding an SSL certificate to FortiClient EMS.

FortiCare

When you apply or renew a license on EMS, EMS retrieves FortiCare-generated certificates with the license information. These certificates are named FCTEMS<serial number>.1.cert and FCTEMS<serial number>.2.cert. While browsers normally do not trust these certificates, they are preferred over the default certificate. In the case that only these certificates and the default certificate are available, EMS uses these certificates, with a preference for .1.cert over .2. cert. You cannot delete these certificates.

EMS uses certificates for the following services. If EMS is currently using a certificate for a certain service, Server Certificates displays this information in the Assigned To column:

Service

Description

Ports used

Web server

Apache service and the Notify (websockets) daemon. This certificate must be trusted by any browser connecting to EMS or a warning is shown.

You can configure the certificate for this service in System Settings > EMS Settings > Shared Settings. See Configuring EMS settings.

Apache service:

  • 443 (GUI)
  • 10443 (installers)

Notify (websockets) daemon: 8015

Endpoint control

Endpoint Control daemon.

You can configure the certificate for this service in System Settings > EMS Settings > Shared Settings. See Configuring EMS settings.

8013

Chromebook

Chromebook daemon.

You can configure the certificate for this service in System Settings > EMS Settings > EMS for Chromebooks Settings. See Configuring EMS settings.

8443

You can delete certificates from Server Certificates. If an ACME certificate is eligible for renewal (within 30 days of expiry), you can also select the certificate to renew it.

Related Videos

sidebar video

What's New in FortiClient EMS 7.2

  • 985 views
  • 11 months ago

Server Certificates

You can view and manage certificates from the Server Certificates page.

EMS supports the following certificate types:

Type

Description

Default

EMS uses this certificate when there are no other available certificates. You cannot delete this certificate. Using the other certificate types is recommended. When other certificates are present, you cannot select the default certificate for use.

Uploaded

User-uploaded certificates. You can upload certificates in PEM, DER, or PKCS12 format. See Adding an SSL certificate to FortiClient EMS.

ACME

The public Let's Encrypt certificate authority uses the Automated Certificate Management Environment (ACME), as defined in RFC 8555 to provide free SSL server certificates. You can configure FortiClient EMS to use certificates that Let's Encrypt manages and other certificate management services that use the ACME protocol. See Adding an SSL certificate to FortiClient EMS.

FortiCare

When you apply or renew a license on EMS, EMS retrieves FortiCare-generated certificates with the license information. These certificates are named FCTEMS<serial number>.1.cert and FCTEMS<serial number>.2.cert. While browsers normally do not trust these certificates, they are preferred over the default certificate. In the case that only these certificates and the default certificate are available, EMS uses these certificates, with a preference for .1.cert over .2. cert. You cannot delete these certificates.

EMS uses certificates for the following services. If EMS is currently using a certificate for a certain service, Server Certificates displays this information in the Assigned To column:

Service

Description

Ports used

Web server

Apache service and the Notify (websockets) daemon. This certificate must be trusted by any browser connecting to EMS or a warning is shown.

You can configure the certificate for this service in System Settings > EMS Settings > Shared Settings. See Configuring EMS settings.

Apache service:

  • 443 (GUI)
  • 10443 (installers)

Notify (websockets) daemon: 8015

Endpoint control

Endpoint Control daemon.

You can configure the certificate for this service in System Settings > EMS Settings > Shared Settings. See Configuring EMS settings.

8013

Chromebook

Chromebook daemon.

You can configure the certificate for this service in System Settings > EMS Settings > EMS for Chromebooks Settings. See Configuring EMS settings.

8443

You can delete certificates from Server Certificates. If an ACME certificate is eligible for renewal (within 30 days of expiry), you can also select the certificate to renew it.