Skip to content

Fortinet FortiGATE

  1. In the Certificate Manager - SaaS toolbar, click Machines.
  2. On the right, click the More Options menu button for the machine that you want to provision a certificate to, and select Provision.
  3. From the Search a certificate by name, expiration, or fingerprint field, begin typing the certificate name you want to provision. Click the certificate when it appears in the list.

  4. In the VDOM field, select the Virtual Domain where the certificate will be provisioned.

    Multi-VDOM environments

    In multi-VDOM environments, each VDOM maintains its own certificate store. Select the appropriate VDOM for your certificate's intended use.

  5. In the Certificate Name field, enter a unique name for this certificate as you want it to appear on your FortiGATE.

    What if the name is already in use on the FortiGATE?

    When provisioning a certificate to the FortiGATE, Certificate Manager - SaaS checks whether the name you enter in this field is already in use in the selected VDOM.

    • If the name isn't in use, Certificate Manager - SaaS will use it.
    • If the name is in use, Certificate Manager - SaaS will generate a unique name by appending a timestamp.
  6. From the Certificate Type drop-down, select the type of certificate you are provisioning:

    • Local Certificate - For server certificates, client authentication certificates, or signing certificates
  7. From the Binding Type drop-down, select where this certificate will be used:

    • Management Interface (HTTPS Admin) - Certificate for the FortiGATE HTTPS management interface
    • SSL VPN Server Certificate - Certificate for the SSL VPN portal
    • VIP HTTPS Listener - Certificate for virtual IP SSL offloading
    • IPsec Tunnel Identity - Certificate for IPsec VPN tunnel authentication
  8. Depending on your selected binding type, configure the following additional fields:

    Management Interface (HTTPS Admin):

    • VDOM: VDOM where the management certificate will be configured (must match the VDOM from step 4)

    SSL VPN Server Certificate:

    • VDOM: VDOM where the SSL VPN is configured

    VIP HTTPS Listener:

    • VDOM: VDOM where the VIP is configured
    • Resource Name: Enter the name of the Virtual Server to bind this certificate to

    IPsec Tunnel Identity:

    • VDOM: VDOM where the IPsec tunnel is configured
    • Resource Name: Enter the name of the IPsec Tunnel to bind this certificate to
  9. If you don't want the certificate to be pushed when you save, toggle the Push certificate on save slider to Off.

  10. Click Save.

    Want to schedule your provisions?

    Schedule your provisions daily, weekly, or monthly. Learn more

After saving, the certificate is pushed to the FortiGATE device. The binding is updated to use the new certificate, and an installation is created on the Installations tab.

Management certificate session handling

When provisioning a certificate to the Management Interface (HTTPS Admin), the active HTTPS session may be terminated as the FortiGATE applies the new certificate. This is expected behavior. Certificate Manager - SaaS handles this gracefully and confirms the certificate was successfully applied.

Certificate chain handling

Certificate chain CAs are automatically uploaded to the CA certificate store separately from the certificate itself, ensuring proper chain validation.