| Solution |
This article will use the following Fortinet products:
FortiPAM: Firmware version 1.1.2
FortiAuthenticator: Firmware version 6.5.2 (Fortiauthenticator will be used to sign CSR generated on FortiPAM. This can be replaced with any other PKI environment (E.g. Microsoft Certificate Server or any other Internal or External).
- Logon to FortiPAM -> System -> Certificates -> Expand Create/Import -> Generate CSR.
- Here, IP is used in ID Type, but a Domain Name can be used as well.
- After filling the required information, select OK to create a CSR request.
- Once the CSR is generated, double-click on it and download the CSR. This file will be sent to the CA, which will sign it and a certificate will be generated. The certificate will be imported to FortiPAM later.
- Log in to FortiAuthenticator and expand Certificate management -> End Entities -> Users -> On the right hand side, select Import.
- After filling in the required information, select Import.
- Once the certificate is ready, select the recently created certificate and select 'Export Certificate'. This will download a certificate, which will then be imported in FortiPAM.
- Next, login to FortiPAM and expand System -> Certificates. Check that the Status of CSR 'FortiPAM_HTTPS' still shows 'Pending', because the certificate is not yet imported in FortiPAM.
- Select Create/Import and select Certificate.
- Select the certificate recently downloaded from FortiAuthenticator, then select Create and select OK to finalize the import of the certificate.
- The certificate will import successfully, but it will not yet have been assigned. Log in to the FortiPAM CLI and run 'config system global'.
After changing the admin-server-cert, the change also needs to be completed on the VIP:
config firewall vip
edit "fortipam_vip"
set uuid b1040....
set type access-proxy
set extip 10.191.x.x
set extintf "port1"
set server-type https
set extport 443
ssl-certificate "FortiPAM_HTTPS"
next
end
- Now, the certificate will be added in to FortiPAM. The next step will be to import the CA certificate in FortiPAM. Here, the FortiAuthenticator CA certificate is being added. Add the CA certificate which signs this FortiPAM certificate.
Note: If there are multiple CAs in environment, e.g. Root CA -> Intermediate CAs, all of the CAs must be imported in FortiPAM and also on the client machine. From there, open GUI access to FortiPAM. In short: the CA chain must be completed on both FortiPAM as well as on the client machine, as it will otherwise lead to certificate errors in browsers.
- The subject must contain the address the end station is able to resolve.
- Google Chrome and Microsoft Edge use a built-in Windows certificate store while Mozilla Firefox has its own certificate store.
- Next, export the RootCA certificate from FortiAuthenticator and then import it into FortiPAM.
- Next, go to FortiPAM and expand System -> Certificates. On the right hand side, select Create/Import and select CA Certificate. Select File and upload the add Root CA certificate. This will add the Root CA under the 'Remote CA Certificate' list
- As the certificate is imported now, check the certificate status by opening a GUI console from Google Chrome.
Note: The 'RootCA' certificate must be trusted by the client machine. It has to be imported to the Trusted Root certificate authority store of the browser or Operating System.
Related articles:
Technical Tip: TLS and the use of Digital Certificates.
Certificates - FortiPAM Administration Guide.
|
