Importing CA certificates and signing requests
Four options are available when importing a certificate or signing request: PKCS12 Certificate, Certificate and Private Key, CSR to sign, and Local certificate.
To import a PKCS12 certificate:
- From the local CA certificate list, select Import. The Import Signing Request orLocal CA Certificate window opens.
- Select PKCS12 Certificate in the type field.
- Enter the following:
Certificate ID | Enter a unique ID for the certificate. |
PKCS12 certificate file (.p12) | Select Browse… to locate the certificate file on your computer. |
Passphrase | Enter the certificate passphrase. |
Initial serial number | Select the serial number radix, either decimal or hex, in the Serial number radix field, then enter the initial serial number in the Initial serial number field. |
- Select OK to import the certificate.
To import a certificate with a private key:
- From the local CA certificate list, select Import. The Import Signing Request orLocal CA Certificate window opens.
- Select Certificate and Private Key in the type field.
- Enter the following:
Certificate ID | Enter a unique ID for the certificate. | |
Certificate file (.cer) | Select Browse… to locate the certificate file on your computer. | |
Private key file | Select Browse… to locate the private key file on your computer. | |
Passphrase | Enter the certificate passphrase. | |
Initial serial number | Select the serial number radix, either decimal or hex, in the Serial number radix field, then enter the initial serial number in the Initial serial number field. | |
- Select OK to import the certificate.
To import a CSR to sign:
- From the local CA certificate list, select Import. The Import Signing Request orLocal CA Certificate window opens.
- Select CSR to sign in the type field.
- Enter the following:
Certificate ID | Enter a unique ID for the certificate. |
CSR file (.csr, .req) | Select Browse… to locate the CSR file on your computer. |
Certificate Signing Options | |
Certificate authority | Select one of the available CAs from the drop-down list. |
Validity period | Select the amount of time before this certificate expires. Select Set length of time to enter a specific number of days, or select Set an expiry date and enter the specific date on which the certificate expires. |
Hash algorithm | Select the hash algorithm from the drop-down list, either SHA-1 or SHA256. |
Subject Alternative Name | This section is not available is the certificate type is Intermediate CA certificate signing request (CSR). |
Enter the email address of a user to map to this certificate. | |
User Principal Name (UPN) | Enter the UPN used to find the user’s account in Microsoft Active Directory. This will map the certificate to this specific user. The UPN is unique for the Windows Server domain. This is a form of one-to-one mapping. |
- Select OK to import the CSR.
To import a local CA certificate:
- From the local CA certificate list, select Import. The Import Signing Request orLocal CA Certificate window opens.
- Select Local certificate in the type field.
- Select .. in the Certificate file (.cer) field to locate the certificate file on your computer.
- Select OK to import the local CA certificate.
CRLs
A CRL is a file that contains a list of revoked certificates, their serial numbers, and their revocation dates. The file also contains the name of the issuer of the CRL, the effective date, and the next update date. By default, the shortest validity period of a CRL is one hour.
Some potential reasons for certificates to be revoked include:
l A CA server was hacked and its certificates are no longer trustworthy, l A single certificate was compromised and is no longer trustworthy, l A certificate has expired and is not supposed to be used past its lifetime.
Go to Certificate Management > Certificate Authorities > CRLs to view the CRL list.
The following information is shown:
Import | Import a CRL. |
Export | Save the selected CRL to your computer. |
CA Type | The CA type of CRL. |
Issuer name | The name of the issuer of the CRL. |
Subject | The CRL’s subject. |
Revoked Certifications | The number of revoked certificates in the CRL. |
To import a CRL:
- Download the most recent CRL from a CDP. One or more CDPs are usually listed in a certificate under the Details tab.
- From the CRL list, select Import.
- Select .. to locate the file on your computer, then select OK to import the list.
When successful, the CRL will be displayed in the CRL list on the FortiAuthenticator device. You can select it to see the details (see To view certificate details: on page 140).
Locally created CRLs
When you import a CRL, it is from another authority. If you are creating your own CA certificates, then you can also create your own CRL to accompany them.
As a CA, you sign user certificates. If for any reason you need to revoke one of those certificates, it will go on a local CRL. When this happens you need to export the CRL to all your certificate users so they are aware of the revoked certificate.
To create a local CRL:
- Create a local CA certificate. See Local CAs on page 140.
- Create one or more user certificates. See End entities on page 133.
- Go to Certificate Management > End Entities > Users, select one or more certificates, and then select Revoke. See To revoke a certificate: on page 139.
The selected certificates will be removed from the user certificate list and a CRL will be created with those certificates as entries in the list. If there is already a CRL for the CA that signed the user certificates, the certificates will be added to the current CRL.
If, at a later date, one or more CAs are deleted, their corresponding CRLs will also be deleted, along with any user certificates that they signed.
Configuring online certificate status protocol
FortiAuthenticator also supports Online Certificate Status Protocol (OCSP), defined in RFC 2560. To use OCSP, configure the FortiGate unit to use TCP port 2560 on the FortiAuthenticator IP address.
For example, configuring OCSP in FortiGate CLI for a FortiAuthenticator with an IP address of 172.20.120.16, looks like this:
config vpn certificate ocsp-server edit fac_ocsp set cert “REMOTE_Cert_1” set url “http://172.20.120.16:2560”
end
Trusted CAs
Trusted CA certificates can be used to validate certificates signed by an external CA.
To view the trusted CA certificate list, go to Certificate Management > Certificate Authorities > Trusted CAs.
The certificate ID, subject, issuer, and status are shown. Certificates can be imported, exported, deleted, and searched.
To import a trusted CA certificate:
- From the trusted CA certificate list, select Import. The Import Signing Request orTrusted CA Certificate window opens.
- Enter a certificate ID in the Certificate ID
- In the Certificate field, Select .. to locate the file on your computer, then select OK to import the list. When successful, the trusted CA certificate will be displayed in the list on the FortiAuthenticator device. You can select it to see the details (see To view certificate details: on page 140).