System Management : Using certificates : Importing a CA
Importing a CA
The certificate authority (CA) store is used to authenticate the certificates of other devices. When the FortiADC system is presented a certificate, it examines the CA’s signature, comparing it with the copy of the CA’s certificate that you have imported into the CA store. If they were both made using the same private key, the CA’s signature is genuine, and therefore the client or device’s certificate is legitimate.
You must do one of the following:
Import the certificates of the signing CA and all intermediary CAs to FortiADC’s store of CA certificates.
In all personal certificates, include the full signing chain up to a CA that FortiADC knows in order to prove that the clients’ certificates should be trusted.
If the signing CA is not known, that CA’s own certificate must likewise be signed by one or more other intermediary CAs, until both the FortiADC appliance and the client or device can demonstrate a signing chain that ultimately leads to a mutually trusted (shared “root”) CA that they have in common. Like a direct signature by a known CA, this proves that the certificate can be trusted.
Before you begin:
You must have Read-Write permission for System settings.
You must know the URL of an SCEP server or have downloaded the certificate and key files and be able to browse to them so that you can upload them.
To import a CA:
1. Go to System > Certificate > Manage Certificates.
2. Click the CA tab.
3. Click Import to display the configuration editor.
4. Complete the configuration as described in Table 90.
5. Click Import.
Table 90: CA import configuration
Certificate Name
Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.The maximum length is 35 characters.
After you initially save the configuration, you cannot edit the name.
Import Method
SCEP—Use Simple Certificate Enrollment Protocol. SCEP allows routers and other intermediary network devices to obtain certificates.
File—Upload a file.
Server URL.
CA Identifier
Identifier for a specific CA on the SCEP server.
Local PC
Browse and locate the certificate file that you want to upload.