Adding SAN Signed Certificates to FortiManager Devices

Overview

TOS requires that all monitored FortiManager devices have a Subject Alternative Name (SAN) signed certificate. Without a SAN signed certificate, SecureTrack will be unable to retrieve dynamic topology information. By default, FortiManager devices do not include a SAN certificate. Therefore, you must add a SAN certificate to each monitored FortiManager device.

Prerequisites

  • Certificate (CSR) signed by a Certification Authority (CA).

    • The Host IP and Subject Alternative Name fields must contain the IP or FQDN of the device. If you use a FQDN, you must verify that the reverse DNS lookup matches the FMG IP address.

    • The IP of the device must be resolvable into its DNS A-Record by reverse lookup.

  • Key used to generate the certificate.

Both the certificate and key need to be obtained independently from Fortinet

Add SAN Signed Certificate

  1. Sign into the FortiManager device as an Administrator.

  2. In the FortiManager device, go to System SettingsCertificates > Local Certificates, and click Import.

  3. In the Import dialog box:

    1. In the Type field, select Certificate.

    2. In the Certificate File and Key File fields, upload the certificate and key.

    3. In the Certificate Name field, enter the certificate name.

    4. Click OK.

  4. Go to System SettingsAdmin > Admin Settings.

  5. In Administration Settings section > HTTPS & Web Service Certificate, select the certificate from the previous step.

  6. If the device was already imported into SecureTrack:

    1. In SecureTrack, go to the Manage Devices

    2. Select the Fortimanager device

    3. Click Edit Configuration

    4. Advance to stage 2.

    5. Click Retrieve Certificate