Adding SAN signed certificates to FortiManager devices

Overview

TOS requires that all monitored FortiManager devices have a SAN signed certificate. Without a SAN signed certificate, SecureTrack will be unable to retrieve dynamic topology information. By default, FortiManager devices do not include a SAN certificate. Therefore, you are going to need to add a SAN certificate to each monitored FortiManager device.

Prerequisites

• Certificate (CSR) signed by a Certification Authority (CA).

  • The Host IP and Subject Alternative Name fields need to be the IP address of the device.

• Key used to generate the certificate.

Both the certificate and key need to be obtained independently from Fortinet

To add the SAN signed certificate to the FortiManager device

1. Sign into the FortiManager device as an Administrator.

2. In the FortiManager device, go to System Settings > Certificates > Local Certificates, and click Import.

3. In the Import dialog box:

   1. In the Type field, select Certificate.

   2. In the Certificate File and Key File fields, upload the certificate and key.

   3. In the Certificate Name field, enter the certificate name.

   4. Click OK.

4. Go to System Settings > Admin > Admin Settings.

5. In Administration Settings section > HTTPS & Web Service Certificate, select the certificate from the previous step.

6. If the device was already imported into SecureTrack:

   1. In SecureTrack, go to Settings > Monitoring > Manage Devices, select the Fortimanager device, and click Edit Configuration.

   2. On page 2, click the Retrieve Certificate button.