SSL
You can set strong cryptography and select which certificates are used by the FortiSwitch unit.
Using the GUI:
- Go to System > Config > SSL.
- Select Strong Crypto to use strong cryptography for HTTPS and SSH access.
- Select one of the 802.1x certificate options:
- Entrust_802.1x—This certificate is embedded in the firmware and is the same on every unit (not unique). It has been signed by a public CA. This is the default certificate for 802.1x authentication.
- Fortinet_Factory—This certificate is embedded in the hardware at the factory and is unique to this unit. It has been signed by a proper CA.
- Fortinet_Factory2—This certificate is embedded in the hardware at the factory and is unique to this unit. It has been signed by a proper CA.
- Fortinet_Firmware—This certificate is embedded in the firmware and is the same on every unit (not unique). It has been signed by a proper CA. It is not recommended to use it for server-type functionality since any other unit could use this same certificate to spoof the identity of this unit.
- Select one of the 802.1x certificate authority (CA) options:
- Entrust_802.1x_CA—Select this CA if you are using 802.1x authentication.
- Entrust_802.1x_G2_CA—Select this CA if you want to use the Google Internet Authority G2.
- Entrust_802.1x_L1K_CA—Select this CA if you want to use http://ocsp.entrust.net.
- Fortinet_CA—Select this CA if you want to use the factory-installed certificate.
- Fortinet_CA2—Select this CA if you want to use the factory-installed certificate.
- Select one of the GUI HTTPS certificate options:
- Entrust_802.1x—This certificate is embedded in the firmware and is the same on every unit (not unique). It has been signed by a public CA.
- Fortinet_Factory—This certificate is embedded in the hardware at the factory and is unique to this unit. It has been signed by a proper CA.
- Fortinet_Factory2—This certificate is embedded in the hardware at the factory and is unique to this unit. It has been signed by a proper CA.
- Fortinet_Firmware—This certificate is embedded in the firmware and is the same on every unit (not unique). It has been signed by a proper CA. It is not recommended to use it for server-type functionality since any other unit could use this same certificate to spoof the identity of this unit.
- Select Update.
Using the CLI:
config system global
set strong-crypto {enable | disable}
set 802.1x-certificate {Entrust_802.1x | Fortinet_Factory | Fortinet_Factory2 | Fortinet_Firmware}
set 802.1x-ca-certificate {Entrust_802.1x_CA | Entrust_802.1x_G2_CA | Entrust_802.1x_L1K_CA | Fortinet_CA | Fortinet_CA2}
set admin-server-cert {self-sign | Entrust_802.1x | Fortinet_Factory | Fortinet_Factory2 | Fortinet_Firmware}
end