Fortinet white logo
Fortinet white logo

EMS Administration Guide

Server Certificates

Server Certificates

You can view and manage certificates from Server Certificates.

EMS supports the following certificate types:

Type

Description

Default

EMS uses this certificate when there are no other available certificates. You cannot delete this certificate. Using other certificate types is recommended. When other certificates are present, you cannot select the default certificate for use.

Uploaded

User-uploaded certificates. You can upload certificates in PEM, DER, or PKCS12 format. See Adding an SSL certificate to FortiClient EMS.

ACME

The public Let's Encrypt certificate authority uses the Automated Certificate Management Environment (ACME), as defined in RFC 8555 to provide free SSL server certificates. You can configure FortiClient EMS to use certificates that Let's Encrypt manages and other certificate management services that use the ACME protocol. See Adding an SSL certificate to FortiClient EMS.

FortiCare

When you apply or renew a license on EMS, EMS retrieves FortiCare-generated certificates with the license information. These certificates are named FCTEMS<serial number>.1.cert and FCTEMS<serial number>.2.cert. While browsers normally do not trust these certificates, they are preferred over the default certificate. In the case that only these certificates and the default certificate are available, EMS uses these certificates, with a preference for .1.cert over .2. cert. You cannot delete these certificates.

EMS uses certificates for the following services. If EMS currently uses a certificate for a certain service, Server Certificates displays this information in the Assigned To column:

Service

Description

Ports used

Web server

Apache service and the Notify (websockets) daemon. Any browser connecting to EMS must trust this certificate, or a warning displays.

You can configure the certificate for this service in System Settings > EMS Settings > Shared Settings. See Configuring EMS settings.

Apache service:

  • 443 (GUI)
  • 10443 (installers)

Notify (websockets) daemon: 8015

Endpoint control

Endpoint Control daemon.

You can configure the certificate for this service in System Settings > EMS Settings > Shared Settings. See Configuring EMS settings.

8013

Chromebook

Chromebook daemon.

You can configure the certificate for this service in System Settings > EMS Settings > EMS for Chromebooks Settings. See Configuring EMS settings.

8443

You can delete certificates from Server Certificates. If an ACME certificate is eligible for renewal (within 30 days of expiry), you can also select the certificate to renew it.

Server Certificates

Server Certificates

You can view and manage certificates from Server Certificates.

EMS supports the following certificate types:

Type

Description

Default

EMS uses this certificate when there are no other available certificates. You cannot delete this certificate. Using other certificate types is recommended. When other certificates are present, you cannot select the default certificate for use.

Uploaded

User-uploaded certificates. You can upload certificates in PEM, DER, or PKCS12 format. See Adding an SSL certificate to FortiClient EMS.

ACME

The public Let's Encrypt certificate authority uses the Automated Certificate Management Environment (ACME), as defined in RFC 8555 to provide free SSL server certificates. You can configure FortiClient EMS to use certificates that Let's Encrypt manages and other certificate management services that use the ACME protocol. See Adding an SSL certificate to FortiClient EMS.

FortiCare

When you apply or renew a license on EMS, EMS retrieves FortiCare-generated certificates with the license information. These certificates are named FCTEMS<serial number>.1.cert and FCTEMS<serial number>.2.cert. While browsers normally do not trust these certificates, they are preferred over the default certificate. In the case that only these certificates and the default certificate are available, EMS uses these certificates, with a preference for .1.cert over .2. cert. You cannot delete these certificates.

EMS uses certificates for the following services. If EMS currently uses a certificate for a certain service, Server Certificates displays this information in the Assigned To column:

Service

Description

Ports used

Web server

Apache service and the Notify (websockets) daemon. Any browser connecting to EMS must trust this certificate, or a warning displays.

You can configure the certificate for this service in System Settings > EMS Settings > Shared Settings. See Configuring EMS settings.

Apache service:

  • 443 (GUI)
  • 10443 (installers)

Notify (websockets) daemon: 8015

Endpoint control

Endpoint Control daemon.

You can configure the certificate for this service in System Settings > EMS Settings > Shared Settings. See Configuring EMS settings.

8013

Chromebook

Chromebook daemon.

You can configure the certificate for this service in System Settings > EMS Settings > EMS for Chromebooks Settings. See Configuring EMS settings.

8443

You can delete certificates from Server Certificates. If an ACME certificate is eligible for renewal (within 30 days of expiry), you can also select the certificate to renew it.