Example — Generate a CSR on the FortiGate unit

This example follows all the steps required to create and install a local certificate on the FortiGate unit, without using CA software.

The FortiGate unit is called myFortiGate60, and is located at 10.11.101.101 (a private IP address) and http://myfortigate.example.com. Mr. John Smith (john.smith@myfortigate.example.com) is the IT administrator for this FortiGate unit, and the unit belongs to the Sales department located in Greenwich, London, England.

 

To generate a certificate request on the FortiGate unit – web-based manager:

1. Go to System > Certificates.

2. Select Generate.

3. In the Certificate Name field, enter myFortiGate60.

 

Do not include spaces in the certificate name. This will ensure compatibility of a signed certificate as a PKCS12 file to be exported later on if required.

Since the IP address is private, we will use the FQDN instead.

4. Select Domain Name, and enter http://myfortigate.example.com.

5. Enter values in the Optional Information area to further identify the FortiGate unit.

Organization Unit                     Sales

Organization                              Example.com

Locality (City)                            Greenwich

State/Province                           London

Country                                      England

e–mail                                          john.smith@myfortigate.example.com

6. From the Key Type list, select RSA or Elliptic Curve.

7. If RSA is selected, from the Key Size list, select 2048 Bit. If Elliptic Curve is selected,from the Curve Name list, select secp256r1.

8. In Enrollment Method, select File Based to generate the certificate request

9. Select OK.

The request is generated and displayed in the Local Certificates list with a status of PENDING.

10. Select the Download button to download the request to the management computer.

11. In the File Download dialog box, select Save and save the Certificate Signing Request on the local file system of the management computer.

12. Name the file and save it on the local file system of the management computer.

Example — Generate and Import CA certificate with private key pair on OpenSSL

This example explains how to generate a certificate using OpenSSL on MS Windows. OpenSSL is available for Linux and Mac OS as well, however their terminology will vary slightly from what is presented here.

 

Assumptions

Before starting this procedure, ensure that you have downloaded and installed OpenSSL on Windows. One source is: http://www.slproweb.com/products/Win32OpenSSL.html.

 

Generating and importing the CA certificate and private key

The two following procedures will generate a CA certificate file and private key file, and then import it to the

FortiGate unit as a local certificate.

To generate the private key and certificate

1. At the Windows command prompt, go to the OpenSSL bin directory. If you installed to the default location this will be the command:

cd c:\OpenSSL-Win32\bin

2. Enter the following command to generate the private key. You will be prompted to enter your PEM pass phrase.

Choose something easy to remember such as fortinet123.

openssl genrsa -aes256 -out fgtcapriv.key 2048

This command generates an RSA AES256 2048-bit encryption key.

3. The following command will generate the certificate using the key from the previous step.

openssl req -new -x509 -days 3650 -extensions v3_ca -key fgtcapriv.key -out fgtca.crt

This step generates an X509 CA certificate good for 10 years that uses the key generated in the previous step. The certificate filename is fgtca.crt.

You will be prompted to enter information such as PEM Pass Phrase from the previous step, Country Name, State, Organization Name, Organizational Unit (such as department name), Common Name (the FQDN), and Email Address.

 

To import the certificate to the FortiGate unit – web-based manager:

1. Go to System > Certificates.

2. Select Import > Local Certificate.

3. Select Certificate for Type.

Fields for Certificate file, Key file, and Password are displayed.

4. For Certificate file, enter c:\OpenSSL-Win32\bin\fgtca.crt.

5. For Key file, enter c:\OpenSSL-Win32\bin\fgtcapriv.key.

6. For Password, enter the PEM Pass Phrase you entered earlier, such as fortinet123.

7. Select OK.

The Certificate will be added to the list of Local Certificates and be ready for use. It will appear in the list as the filename you uploaded — fgtca.You can add comments to this certificate to make it clear where its from and how it is intended to be used. If you download the certificate from FortiOS, it is a .CER file.

It can now be used in Authenticating IPsec VPN users with security certificates on page 535, and Authenticating SSL VPN users with security certificates on page 534.

Optionally, you can install the certificate as a CA Certificate. CA certificates are used in HTTPS proxy/inspection. To do this, under System > Certificates select Import > CA Certificate. Select Local PC and enter the certificate file c:\OpenSSL-Win32\bin\fgtca.crt. Then select OK. This certificate will be displayed in the CA Certificate list under the name CA_Cert_1.

 

 

Example — Generate an SSL certificate in OpenSSL

This example explains how to generate a CA signed SSL certificate using OpenSSL on MS Windows. OpenSSL is available for Linux and Mac OS as well, however their terminology will vary slightly from what is presented here.

In this example, you will:

• Generate a CA signed SSL certificate
• Generate a self-signed SSL certificate
• Import the SSL certificate into FortiOS

 

Assumptions

• Before starting this procedure, ensure that you have downloaded and installed OpenSSL on MS Windows. One download source is http://www.slproweb.com/products/Win32OpenSSL.html.

 

Generating a CA signed SSL certificate

This procedure assumes that you have already completed Example — Generate and Import CA certificate with private key pair on OpenSSL on page 537 successfully.

 

To generate the CA signed SSL certificate:

1. At the Windows command prompt, go to the OpenSSL bin directory. If you installed to the default location this will be the following command:

cd c:\OpenSSL-Win32\bin

2. Enter the following command to generate the private key. You will be prompted to enter your PEM pass phrase.

Choose something easy to remember such as fortinet.

openssl genrsa -aes256 -out fgtssl.key 2048

This command generates an RSA AES256 2048-bit encryption key.

3. Create a certificate signing request for the SSL certificate. This step requires you to enter the information listed in step 3 of the previous example — To generate the private key and certificate. You can leave the Challenge Password blank.

openssl req -new -sha256 -key fgtssl.key -out fgtssl.csr

Most Certificate Authorities will ignore the value that is set in the CSR and use whatever value they are set to use in their configuration. This means that the client will likely need to modify their openssl.conf file to use SHA-256 (or another SHA-2 variant).

4. Using the CSR from the previous step, you can now create the SSL certificate using the CA certificate that was created in Example — Generate and Import CA certificate with private key pair on OpenSSL.

openssl x509 -req -days 365 -in fgtssl.csr -CA fgtca.crt -CAkey fgtcapriv.key -set_

serial 01 -out fgtssl.crt

This will generate an X.509 certificate good for 365 days signed by the CA certificate fgtca.crt.

 

Generating a self-signed SSL certificate

This procedures does not require any existing certificates.

1. At the Windows command prompt, go to the OpenSSL bin directory. If you installed to the default location this will be the following command:

cd c:\OpenSSL-Win32\bin

2. Enter the following command to generate the private key. You will be prompted to enter your PEM pass phrase.

Choose something easy to remember such as fortinet.

openssl genrsa -aes256 -out fgtssl.key 2048 openssl req -new -key fgtssl.key -out fgtssl.csr

openssl x509 -req -days 365 -in fgtssl.csr -signkey fgtssl.key -out fgtssl.crt

 

These commands:

• generate an RSA AES256 2048-bit private key,
• generate an SSL certificate signing request, and
• sign the CSR to generate an SSL .CRT certificate file.

 

Import the SSL certificate into FortiOS

To import the certificate to FortiOS- web-based manager

1. Go to System > Certificates.

2. Select Import > Local Certificate.

3. Select Certificate for Type.

Fields for Certificate file, Key file, and Password are displayed.

4. For Certificate file, enter c:\OpenSSL-Win32\bin\fgtssl.crt.

5. For Key file, enter c:\OpenSSL-Win32\bin\fgtssl.key.

6. For Password, enter the PEM Pass Phrase you entered, such as fortinet.

7. Select OK.

The SSL certificate you just uploaded can be found under System > Certificates under the name of the file you uploaded — fgtssl.

To confirm the certificate is uploaded properly – CLI:

config vpn certificate local edit fgtssl

get end

 

The get command will display all the certificate’s information. If it is not there or the information is not correct, you will need to remove the corrupted certificate (if it is there) and upload it again from your PC.

 

To use the new SSL certificate – CLI

config vpn ssl settings set servercert fgtssl

end

This assigns the fgtssl certificate as the SSL server certificate. For more information see the FortiOS Handbook

SSL VPN guide.