Secure connections and certificates : Uploading trusted CAs’ certificates
 
Uploading trusted CAs’ certificates
In order to authenticate other devices’ certificates, FortiRecorder has a store of trusted CAs’ certificates. Until you upload at least one CA certificate, FortiRecorder does not know and trust any CAs, it cannot validate any other client or device’s certificate, and all of those secure connections will fail.
 
FortiRecorder may require you to upload certificates and CRLs even if you do not use HTTPS.
For example, when sending alert email via SMTPS, or querying an authentication server via LDAPS, FortiRecorder will validate the server’s certificate by comparing the server certificate’s CA signature with the certificates of CAs that are known and trusted by the FortiRecorder appliance.
Certificate authorities (CAs) validate and sign others’ certificates. When FortiRecorder needs to know whether a client or device’s certificate is genuine, it will examine the CA’s signature, comparing it with the copy of the CA’s certificate that you have uploaded in order to determine if they were both made using the same private key. If they were, the CA’s signature is genuine, and therefore the client or device’s certificate is legitimate.
If the signing CA is not known, that CA’s own certificate must likewise be signed by one or more other intermediary CAs, until both the FortiRecorder appliance and the client or device can demonstrate a signing chain that ultimately leads to a mutually trusted (shared “root”) CA that they have in common. Like a direct signature by a known CA, this proves that the certificate can be trusted. For more information on how to include a signing chain, see “Uploading & selecting to use a certificate”.
To upload a CA’s certificate
1. Obtain a copy of your CA’s certificate file.
If you are using a commercial CA, your web browser should already contain a copy in its CA trust store. Export a copy of the file to your desktop or other folder.
If you are using your own private CA, download a copy from your CA’s server. See “Example: Downloading the CA’s certificate from Microsoft Windows 2003 Server”.
 
Verify that your private CA’s certificate does not contain its private keys. Disclosure of private keys compromises the security of your network, and will require you to revoke and regenerate all certificates signed by that CA.
2. Go to System > Certificate > CA Certificate.
To view the selected certificate’s issuer, subject, and range of dates within which the certificate is valid, click a certificate’s row to select it, then click View.
3. Click Import.
A dialog appears.
4. In Certificate name, type a name for the certificate that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters.
5. Next to Certificate file, click the Browse button and select your CA’s certificate file.
6. Click OK.
Time required to upload the file varies by the size of the file and the speed of your network connection.
7. To test your configuration, cause your appliance to initiate a secure connection to an LDAPS server (see “To configure an LDAP query” and “To configure an account”).
If the query fails, verify that your CA is the same one that signed the LDAP server’s certificate, and that its certificate’s extensions indicate that the certificate can be used to sign other certificates. Verify that both the appliance and LDAP server support the same cipher suites and SSL/TLS protocols. Also verify that your routers and firewalls are configured to allow the connection.
See also
Revoking certificates
User management