On This Page
Adding SAN Signed Certificates to FortiManager Devices
Overview
TOS requires that all monitored FortiManager devices have a Subject Alternative Name (SAN) signed certificate. Without a SAN signed certificate, SecureTrack will be unable to retrieve dynamic topology information. By default, FortiManager devices do not include a SAN certificate. Therefore, you must add a SAN certificate to each monitored FortiManager device.
Prerequisites
-
Certificate (CSR) signed by a Certification Authority (CA).
-
The Host IP and Subject Alternative Name fields must contain the IP or FQDN of the device. If you use a FQDN, you must verify that the reverse DNS lookup matches the FMG IP address.
-
The IP of the device must be resolvable into its DNS A-Record by reverse lookup.
-
-
Key used to generate the certificate.
Both the certificate and key need to be obtained independently from Fortinet
To add the SAN signed certificate to the FortiManager device
-
Sign into the FortiManager device as an Administrator.
-
In the FortiManager device, go to System Settings > Certificates > Local Certificates, and click Import.
-
In the Import dialog box:
-
In the Type field, select Certificate.
-
In the Certificate File and Key File fields, upload the certificate and key.
-
In the Certificate Name field, enter the certificate name.
-
Click OK.
-
-
Go to System Settings > Admin > Admin Settings.
-
In Administration Settings section > HTTPS & Web Service Certificate, select the certificate from the previous step.
-
If the device was already imported into SecureTrack:
-
In SecureTrack, go to the Manage Devices
-
Select the Fortimanager device
-
Click Edit Configuration
-
Advance to stage 2.
-
Click Retrieve Certificate
-