Help
FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
mforbes
Staff
Staff

Created on ‎05-11-2018 03:00 PM

Article Id 191646

Technical Tip: Install FortiGate's CA SSLProxy Certificate on user's PC from FortiClient EMS

Description
This article shows how to automatically distribute FortiGate's SSL CA Certificate via FortiClient EMS. The preventiom of the "Security Certificate error" or "Connection is untrusted" messages when accessing the Internet generally requires the manual import of the FortiGate's SSL CA Proxy Certificate on the PC.

Scope
FortiClient Enterprise Management System
FortiClient 5.4.1 - 5.6.6
FortiOS 5.41- 6.x

Solution
Import Certificate to EMS
On FortiGate
Verify that the FortiGate's "Fortinet_CA_SSLProxy" Certificate is displayed under System\Certificates\Local CA Certificates.

Install FortiGate's CA SSLProxy Certificate on user's PC from FortiClient EMS image 1.png


On EMS
Go to Administration\CA Certificate Management.
Click "Import"..

1) In the pop-up window, add the following:
2) IP address/Hostname
3) VDOM
4) Username
5) Password
6)
mforbes_Image3.png
7) Click on "Import"

Install FortiGate's CA SSLProxy Certificate on user's PC from FortiClient EMS image 1.png


Add Certificate to User's Profile
Go to Endpoint Profiles\Manage Profiles

1) Select and Edit Profile.
2) Select the System Settings Tab.
3) Scroll down to the "Other" Section.
4) Enable "Install CA Certificate on Client".
5) A listing of the CA imported Certificate is listed.
6) Select the Certificate to push to the Endpoint.
7)

Install FortiGate's CA SSLProxy Certificate on user's PC from FortiClient EMS image 1.png
8) Click "Save".
The "Fortinet_CA_SSLProxy" Certificate will be downloaded by the FortiClient Endpoint in its next keep-alive cycle.  (Usually every 60 seconds)

Verify Certificate installation
1) Start\Run  ->  enter "mmc"
2) Click File\Add/Remove Snap-in...
3) In the add "Add or Remove Snap-ins" window, select Certificates.
4) Click "Add".
5) Select "My user account".
6) Click "Finish".
7) Click "OK".   (You will see it opens "Certificates - Current User")
8) Expand "Trusted Root Certification Authorities".
9) Click "Certificates".
10) Locate the the Certificate with the FortiGate's Serial Number in the list.
11)

Install FortiGate's CA SSLProxy Certificate on user's PC from FortiClient EMS image 1.png
12)
References

Further information on stopping the "Connection is untrusted" message are available here.

Further information is available in the FortiClient EMS Administration Guide which can be found here.

Further information about avoiding certificate warning messages in SSL inspection are available here.


10230
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.