How to check external CA store on FortiGate

Didn’t find alot of information on how to view the FortiNet approved CA-store, so I thought I’d make a post about it.
This is the command to check the store (details can be omitted).

Note there is a difference between an unit running VDOM
– With VDOM: get certificate ca details
– Without VDOM: get vpn certificate ca details

FGXKXXXXXXXXXX# config global
FGXKXXXXXXXXXX(global) # get certificate ca details
== [ ACCVRAIZ1 ]
Name: ACCVRAIZ1
Subject: CN = ACCVRAIZ1, OU = PKIACCV, O = ACCV, C = ES
Issuer: CN = ACCVRAIZ1, OU = PKIACCV, O = ACCV, C = ES
Valid from: 2011-05-05 09:37:37 GMT
Valid to: 2030-12-31 09:37:37 GMT
Fingerprint: D0:A0:5A:EE:05:B6:09:94:21:A1:7D:F1:B2:29:82:02
Serial Num: 5e:c3:b7:a6:43:7f:a4:e0
== [ ACEDICOM_Root ]
Name: ACEDICOM_Root
Subject: CN = ACEDICOM Root, OU = PKI, O = EDICOM, C = ES
Issuer: CN = ACEDICOM Root, OU = PKI, O = EDICOM, C = ES
Valid from: 2008-04-18 16:24:22 GMT
Valid to: 2028-04-13 16:24:22 GMT
Fingerprint: 42:81:A0:E2:1C:E3:55:10:DE:55:89:42:65:96:22:E6
Serial Num: 61:8d:c7:86:3b:01:82:05

You can also view specific CA certs if you replace space with underscore.

FGXKXXXXXXXXXX (global) # get certificate ca details DigiCert_Global_Root_CA
== [ DigiCert_Global_Root_CA ]
Name: DigiCert_Global_Root_CA
Subject: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
Valid from: 2006-11-10 00:00:00 GMT
Valid to: 2031-11-10 00:00:00 GMT
Fingerprint: 79:E4:A9:84:0D:7D:3A:96:D7:C0:4F:E2:43:4C:89:2E
Serial Num: 08:3b:e0:56:90:42:46:b1:a1:75:6a:c9:59:91:c7:4

Hope someone finds this useful. :)

5.00 avg. rating (99% score) - 1 vote

Leave a Reply

Your email address will not be published. Required fields are marked *