FortiGate — VM unique certificate
To safeguard against certificate compromise, FortiGate VM and FortiAnalyzer VM use the same deployment model as FortiManager VM where the license file contains a unique certificate tied to the serial number of the virtual device.
A hardware appliance usually comes with a BIOS certificate with a unique serial number that identifies the hardware appliance. This built-in BIOS certificate is different from a firmware certificate. A firmware certificate is distributed in all appliances with the same firmware version.
Using a BIOS certificate with a built-in serial number provides a high trust level for the other side in X.509 authentication.
Since a VM appliance has no BIOS certificate, a signed VM license can provide an equivalent of a BIOS certificate. The VM license assigns a serial number in the BIOS equivalent certificate. This gives the certificate an abstract access ability, which is similar to a BIOS certificate with the same high trust level.
This feature is only supported in new, registered VM licenses. |
Sample configurations
Depending on the firmware version and VM license, the common name (CN) on the certificate will be configured differently.
To view validated certificates:
- Go to System > Certificates.
- Double-click on a VM certificate. There are two VM certificates:
- Fortinet_Factory
- Fortinet_Factory_Backup
The Certificate Detail Information window displays.
- If you are using new firmware (6.2.0 and later) with a new VM license, the CN becomes the FortiGate VM serial number.
- If you are using new firmware (6.2.0) with an old VM license, the CN remains as FortiGate. It does not change to the VM serial number.
- If you are using old firmware (6.0.2) with a new VM license, the CN remains as FortiGate.