Skip to content

Fortinet FortiWeb

This feature is in Preview

This feature is currently available as a Preview and is not yet generally available (GA). Functionality and behavior may change before GA.

Provision a certificate from Certificate Manager - SaaS to a Fortinet FortiWeb Web Application Firewall for the management interface, a server policy, an SNI domain, or the certificate store.

Before you can provision, the FortiWeb must already exist as a machine in Certificate Manager - SaaS. If you haven't done that yet, create the FortiWeb machine first.

  1. Click Installations > Machines.
  2. On the right, click the More Options menu button for the machine that you want to provision a certificate to, and select Provision.
  3. From the Search a certificate by name, expiration, or fingerprint field, begin typing the certificate name you want to provision. Click the certificate when it appears in the list.

  4. In the ADOM (Administrative Domain) field, enter the ADOM where the certificate will be provisioned. Leave this field blank for global or single-domain mode.

    Multi-ADOM environments

    In multi-ADOM environments, each ADOM maintains its own certificate store. Enter the ADOM name that matches the server policy or SNI group you want to bind the certificate to.

  5. In the Certificate Name field, enter a unique name for this certificate as you want it to appear on your FortiWeb.

    What if the name is already in use on the FortiWeb?

    When provisioning a certificate to the FortiWeb, Certificate Manager - SaaS checks whether the name you enter in this field is already in use in the selected ADOM.

    • If the name isn't in use, Certificate Manager - SaaS will use it.
    • If the name is in use, Certificate Manager - SaaS will generate a unique name by appending the current date and a short serial number suffix.

    Certificate name rules

    FortiWeb certificate names are limited to alphanumeric characters, underscores, and hyphens, with a maximum length of 35 characters. Any characters that fall outside these rules are removed automatically, and spaces are replaced with underscores.

  6. From the Certificate Type drop-down, select the type of certificate you are provisioning:

    • Local (Server Certificate) - For server certificates used for TLS termination on server policies, SNI bindings, or the management interface.
  7. From the Binding Type drop-down, select where this certificate will be used:

    • Management Interface (Admin HTTPS) - Certificate for the FortiWeb management interface (admin GUI and REST API)
    • Server Policy (Reverse Proxy) - Certificate used for TLS termination on a reverse-proxy server policy
    • SNI Certificate - Per-domain certificate within an SNI group for multi-domain hosting on a single virtual server
    • Unbound (Not Assigned) - Upload the certificate to the FortiWeb store without binding it to any policy or service

    Discovery-only binding types

    The CA Certificate binding type shown in discovery results is not available for provisioning. Certificate Manager - SaaS discovers CA certificates used for client certificate validation and backend origin verification but does not provision them because the CA private key is not managed by Certificate Manager - SaaS.

  8. Depending on your selected binding type, configure the following additional fields:

    Management Interface (Admin HTTPS):

    • No additional fields are required. The certificate is set on the appliance's global https-certificate setting.

    Server Policy (Reverse Proxy):

    • Server Policy: Select the server policy that will use this certificate for TLS termination. The drop-down is populated from the server policies defined in the selected ADOM.

    SNI Certificate:

    • SNI Group: Select the SNI group that contains the domain you want to bind the certificate to. The drop-down is populated from the SNI groups defined in the selected ADOM.
    • SNI Domain Name: Enter the exact domain name of the SNI group member you want to update. The domain must already exist as a member of the selected SNI group; Certificate Manager - SaaS updates the existing member rather than creating a new one.

    Unbound (Not Assigned):

    • No additional fields are required. The certificate is uploaded to the certificate store without any binding.
  9. If you don't want the certificate to be pushed when you save, toggle the Push certificate on save slider to Off.

  10. Click Save.

    Want to schedule your provisions?

    Schedule your provisions daily, weekly, or monthly. Learn more

After saving, the certificate is pushed to the FortiWeb appliance. The certificate and any intermediate certificates in the chain are uploaded together to the local certificate store, and the binding is updated to use the new certificate. An installation is created on the Installations tab.

Management certificate session handling

When provisioning a certificate to the Management Interface (Admin HTTPS), the active HTTPS session is terminated as the FortiWeb applies the new certificate. This is expected behavior. Certificate Manager - SaaS handles the transport-level drop gracefully and confirms the certificate was successfully applied.

Previous certificates are retained

After provisioning, previous certificates remain in the FortiWeb certificate store. Certificate Manager - SaaS uploads the new certificate under a unique name and updates the binding to reference it, but does not delete the old certificate. If your certificate store accumulates unused certificates over time, remove them manually from the FortiWeb console.

Certificate chain handling

The certificate chain is bundled with the leaf certificate and uploaded to the local certificate store as a single PEM file. Intermediate certificates in the chain are not uploaded separately to the Intermediate CA store.