Certificate authorities
A CA is used to sign other server and client certificates. Different CAs can be used for different domains or certificates. For example, if your organization is international you may have a CA for each country, or smaller organizations might have a different CA for each department. The benefits of multiple CAs include redundancy, in case there are problems with one of the well-known trusted authorities.
Once you have created a CA certificate, you can export it to your local computer.
Local CAs
The FortiAuthenticator device can act as a self-signed or local CA.
To view the certificate information, go to Certificate Management > Certificate Authorities > Local CAs.
The following information in shown:
Create New | Create a new CA certificate. | |
Import | Import a CA certificate. See Importing CA certificates and signing requests on page 144. | |
Revoke | Revoke the selected CA certificate. | |
Delete | Delete the selected CA certificate. | |
Export | Save the selected CA certificate to your computer. | |
Search | Enter a search term in the search field, then press Enter to search the CA certificate list. The search will return certificates that match either the subject or issuer. | |
Filter | Select to filter the displayed CAs by status. The available selections are: All, Pending, Expired, Revoked, and Active. | |
Certificate ID | The CA certificate ID. | |
Subject | The CA certificate subject. | |
Issuer | The issuer of the CA certificate. | |
Status | The status of the CA certificate, either active, pending, or revoked. | |
CA Type | The CA type of the CA certificate. |
To create a CA certificate:
- From the local CA certificate list, select Create New. The Create New Local CA Certificate window opens.
- Enter the following information:
Certificate ID | Enter a unique ID for the CA certificate. |
Certificate Authority Type | |
Certificate type | Select one of the following options:
l Root CA certificate: a self-signed CA certificate l Intermediate CA certificate: a CA certificate that refers to a different root CA as the authority l Intermediate CA certificate signing request (CSR) |
Certificate authority | Select one of the available CAs from the drop- down list.
This field is only available when the certificate type is Intermediate CA certificate. |
Subject Information | |
Subject input method | Select the subject input method, either Fully distinguished name or Fieldby-field. |
Fully distinguished name | If the subject input method is Fully distinguished name, enter the full distinguished name of the subject. There should be no spaces between attributes.
Valid DN attributes are DC, C, ST, L, O, OU, CN, and emailAddress. They are case-sensitive. |
Field-by-field | If the subject input method is Field-by-field, enter the subject name in the Name (CN) field, and optionally enter the following fields:
l Department (OU) l Company (O) l City (L) l State/Province (ST) l Country (C) (select from drop-down list) l E-mail address |
Key and Signing Options | |
Validity period | Select the amount of time before this certificate expires. Select Set length of time to enter a specific number of days, or select Set an expiry date and enter the specific date on which the certificate expires. This option is not available when the certificate type is set to Intermediate CA certificate signing request (CSR). |
Key type | The key type is set to RSA. |
Key size | Select the key size from the drop-down list: 1024, 2048, or 4096 bits. |
Hash algorithm | Select the hash algorithm from the drop-down list, either SHA-1 or SHA256. |
Subject Alternative Name | SANs allow you to protect multiple host names with a single SSL certificate. SAN is part of the X.509 certificate standard. This section is not available when the certificate type is Intermediate CA certificate signing request (CSR). |
Enter the email address of a user to map to this certificate. | |
User Principal Name (UPN) | Enter the UPN used to find the user’s account in Microsoft Active Directory. This will map the certificate to this specific user. The UPN is unique for the Windows Server domain. This is a form of one-to-one mapping. |
Advanced Options: Key Usages | Some certificates require the explicit presence of extended key usage attributes before the certificate can be accepted for use. |
Key Usages | l Digital Signature l Non Repudiation l Key Encipherment l Data Encipherment l Key Agreement l Certificate Sign l CRL Sign l Encipher Only l Decipher Only |
Extended Key Usages | l Server Authentication l Client Authentication l Code Signing l Secure Email l OCSP Signing l IPSec End System l IPSec Tunnel Termination l IPSec User l IPSec IKE Intermediate (end entity) l Time Stamping l Microsoft Individual Code Signing l Microsoft Commercial Code Signing l Microsoft Trust List Signing l Microsoft Server Gated Crypto l Netscape Server Gated Crypto l Microsoft Encrypted File System l Microsoft EFS File Recovery l Smart Card Logon l EAP over PPP l EAP over LAN
l KDC Authentication |
- Select OK to create the new CA certificate.