Certificate Management – FortiAuthenticator 4.0

SCEP

The FortiAuthenticator device contains a SCEP server that can sign user CSRs, and distribute CRLs and CA certificates. To use SCEP, you must:

l Enable HTTP administrative access on the interface connected to the Internet. See Interfaces on page 30. l Add the CA certificate for your certificate authority. See Certificate authorities on page 140. l Select the CA to use for SCEP. See Default CA on page 148.

Users can request a user certificate through online SCEP, found at http://<FortiAuthenticator IP Address>/cert/scep.

General

As administrator, you can allow the FortiAuthenticator unit to either automatically sign the user’s certificate or alert you about the request for signature.

To enable SCEP and configure general settings, go to Certificate Management > SCEP > General.

The following settings can be configured:

Enable SCEP Select to enable SCEP.
Default CA Select the default CA to use from the drop-down list.
Enrollment method Select the enrollment method:

Automatic: The certificate is pre-approved by the administrator.

The administrator enters the certificate information on the

FortiAuthenticator unit and gives the user a challenger password to use when submitting their request.

Manual and Automatic: The user submits the CSR, the request shows up as pending on FortiAuthenticator unit, then the administrator manually approves the pending request. Optionally, enter an email address to send pending approval notifications to.

Default enrollment password Enter the default enrollment password that will be used when not setting a random password.

Select OK to apply any changes you have made.

Enrollment requests

To view and manage certificate enrollment requests, go to Certificate Management > SCEP > Enrollment Requests.

The following information is available:

Create New Create a new certificate enrollment request.
Delete Delete the selected certificate enrollment request.
Approve/Reject Approve or reject the selected certificate enrollment request.
Method The enrollment method used.
Status The status of the enrollment: pending, approved, or rejected.
Wildcard If it is a wildcard request, a green circle with a check mark is shown.
Issuer The issuer of the certificate.
Subject The certificate subject.
Renewable Before Expiry (days) The number of days before the certificate enrollment request expires that it can be renewed.
Updated at The date and time that the enrollment request was last updated.

To view the enrollment request details:

  1. From the enrollment request list, select a request by clicking within its row. The Certificate Enrollment Request window opens.
  2. If the client has lost their certificate and key, select Did the client lose his/hercertificate and key?
  3. Select Close to return to the enrollment request window.

To reset the enrollment request status:

  1. From the Certificate Enrollment Request window, select Did the client lose his/hercertificate and key? The Reset enrollment request status? window opens.
  2. There are two methods to reset the enrollment request: l Manually remove the old enrollment request, revoke its certificate, then create a new enrollment request with exactly the same configuration and subject name as the old certificate.

l Re-use the same enrollment request by resetting its status and then revoking the lost certificate.

  1. To re-use the same enrollment request, select Yes, I’m sure. This is the recommended method of resolving the issue.

To create a new certificate enrollment request:

  1. From the certificate enrollment requests list, select Create New. The Create New Certificate Enrollment Request window opens.
  2. Enter the following information:
Automatic request type Select the automatic request type, either Regular or Wildcard.
Certificate Authority Select one of the available CAs configured on the FortiAuthenticator unit from       the         drop-      down     list.

The CA must be valid and current. If it is not you will have to create or import a CA certificate before continuing. See Certificate authorities on page 140.

 

Subject Information  
Subject input method Select the subject input method, either Fully distinguished name or Fieldby-field.
Fully distinguished name If the subject input method is Fully distinguished name, enter the full distinguished name of the subject. There should be no spaces between attributes.

Valid DN attributes are DC, C, ST, L, O, OU, CN, and emailAddress. They are case-sensitive.

Field-by-field If the subject input method is Field-by-field, enter the subject name in the Name (CN) field (if the Automatic request type is set to Regular), and optionally enter the following fields: l Department (OU) l Company (O) l City (L) l State/Province (ST)

l Country (C) (select from drop-down list) l E-mail address

Certificate Signing Options  
Validity period Select the amount of time before this certificate expires. Select Set length of time to enter a specific number of days, or select Set an expiry date and enter the specific date on which the certificate expires.
Hash algorrithm Select the hash algorithm from the drop-down list, either SHA-1 or SHA256.
Challenge Password  
Password creation Select to either set a random password, or use the default enrollment password (see Default enrollment password on page 148).
Challenge password

distribution

Select the challenge password distribution method. This option is only available if Password creation is set to Set a random password. l Display: display the password on the screen.

SMS: send the password to a mobile phone. Enter the phone number in the Mobile number field and select an SMS gateway from the drop-down list.

E-mail: send the password to the email address entered in the email field.

Renewal To allow renewals, select Allow renewal, then enter the number of days before the certificate expires.
Subject Alternative Name This option is only available if the Automatic request type is set to Regular.
Email Enter the email address of a user to map to this certificate.
User Principal Name (UPN) Enter the UPN used to find the user’s account in Microsoft Active Directory. This will map the certificate to this specific user. The UPN is unique for the Windows Server domain. This is a form of one-to-one mapping.
Advanced Options: Key Usages Some certificates require the explicit presence of extended key usage attributes before the certificate can be accepted for use.
Key Usages l Digital Signature l Non Repudiation l Key Encipherment l Data Encipherment l Key Agreement l Certificate Sign l CRL Sign l Encipher Only l Decipher Only
Extended Key Usages l  Server Authentication l Client Authentication l Code Signing l Secure Email l OCSP Signing l IPSec End System l IPSec Tunnel Termination l IPSec User l IPSec IKE Intermediate (end entity) l Time Stamping l Microsoft Individual Code Signing l Microsoft Commercial Code Signing l Microsoft Trust List Signing l Microsoft Server Gated Crypto l Netscape Server Gated Crypto l Microsoft Encrypted File System l Microsoft EFS File Recovery l Smart Card Logon l EAP over PPP l EAP over LAN

l  KDC Authentication

  1. Select OK to create the new certificate enrollment request.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.