Certificate usage
FortiOS leverages certificates in multiple areas, such as administrative access, ZTNA, SAML authentication, LDAPS, RADSEC over TLS, VPNs, communication between Fortinet devices and services, deep packet inspection, and authenticating Security Fabric devices.
When configuring an LDAP connection to an Active Directory server, an administrator must provide Active Directory user credentials.
-
To secure this connection, use LDAPS on both the Active Directory server and FortiGate. See Configuring an LDAP server and Configuring client certificate authentication on the LDAP server.
-
Apply the principle of least privilege. For the LDAP regular bind operation, do not use credentials that provide full administrative access to the Windows server when using credentials. See Configuring least privileges for LDAP admin account authentication in Active Directory.
To secure RADIUS connections, consider using RADSEC over TLS instead. See Configuring a RADSEC client.
The default Fortinet factory self-signed certificates are provided to simplify initial installation and testing. Replace any used certificates with certificates that are signed by a trusted CA and specific to that FortiGate
Certificates can be uploaded to the FortiGate in multiple ways:
-
Automated Certificate Management Environment (ACME),
-
Simple Certificate Enrollment Protocol (SCEP),
-
Uploading a certificate in the GUI or CLI,
-
Creating a Certificate Signing Request (CSR), having it signed by a CA, then uploading the certificate.