Server Certificates
You can view and manage certificates from Server Certificates.
EMS supports the following certificate types:
Type |
Description |
---|---|
Default |
EMS uses this certificate when there are no other available certificates. You cannot delete this certificate. Using other certificate types is recommended. When other certificates are present, you cannot select the default certificate for use. |
Uploaded |
User-uploaded certificates. You can upload certificates in PEM, DER, or PKCS12 format. See Adding an SSL certificate to FortiClient EMS. |
ACME |
The public Let's Encrypt certificate authority uses the Automated Certificate Management Environment (ACME), as defined in RFC 8555 to provide free SSL server certificates. You can configure FortiClient EMS to use certificates that Let's Encrypt manages and other certificate management services that use the ACME protocol. See Adding an SSL certificate to FortiClient EMS. |
FortiCare |
When you apply or renew a license on EMS, EMS retrieves FortiCare-generated certificates with the license information. These certificates are named FCTEMS<serial number>.1.cert and FCTEMS<serial number>.2.cert. While browsers normally do not trust these certificates, they are preferred over the default certificate. In the case that only these certificates and the default certificate are available, EMS uses these certificates, with a preference for .1.cert over .2. cert. You cannot delete these certificates. |
EMS uses certificates for the following services. If EMS currently uses a certificate for a certain service, Server Certificates displays this information in the Assigned To column:
Service |
Description |
Ports used |
---|---|---|
Web server |
Apache service and the Notify (websockets) daemon. Any browser connecting to EMS must trust this certificate, or a warning displays. You can configure the certificate for this service in System Settings > EMS Settings > Shared Settings. See Configuring EMS settings. |
Apache service:
Notify (websockets) daemon: 8015 |
Endpoint control |
Endpoint Control daemon. You can configure the certificate for this service in System Settings > EMS Settings > Shared Settings. See Configuring EMS settings. |
8013 |
Chromebook |
Chromebook daemon. You can configure the certificate for this service in System Settings > EMS Settings > EMS for Chromebooks Settings. See Configuring EMS settings. |
8443 |
You can delete certificates from Server Certificates. If an ACME certificate is eligible for renewal (within 30 days of expiry), you can also select the certificate to renew it.