Managing X.509 certificates

Managing X.509 certificates

Managing security certificates is required due to the number of steps involved in both having a certificate request signed, and then distributing the correct files for use.

You use the FortiGate unit or CA software such as OpenSSL to generate a certificate request. That request is a text file that you send to the CA for verification, or alternately you use CA software to self-validate. Once validated, the certificate file is generated and must be imported to the FortiGate unit before it can be used. These steps are explained in more detail later in this section.

This section provides procedures for generating certificate requests, installing signed server certificates, and importing CA root certificates and CRLs to the FortiGate unit.

For information about how to install root certificates, CRLs, and personal or group certificates on a remote client browser, refer to your browser’s documentation.

This section includes:

  • Generating a certificate signing request
  • Generating certificates with CA software
  • Obtaining and installing a signed server certificate from an external CA
  • Installing a CA root certificate and CRL to authenticate remote clients
  • Troubleshooting certificates
  • Online updates to certificates and CRLs
  • Backing up and restoring local certificates

 

Generating a certificate signing request

Whether you create certificates locally with a software application or obtain them from an external certificate service, you will need to generate a certificate signing request (CSR).

When you generate a CSR, a private and public key pair is created for the FortiGate unit. The generated request includes the public key of the FortiGate unit and information such as the FortiGate unit’s public static IP address, domain name, or email address. The FortiGate unit’s private key remains confidential on the FortiGate unit.

After you submit the request to a CA, the CA will verify the information and register the contact information on a digital certificate that contains a serial number, an expiration date, and the public key of the CA. The CA will then sign the certificate, and you install the certificate on the FortiGate unit.

The Certificate Request Standard is a public key cryptography standard (PKCS) published by RSA, specifically PKCS10 which defines the format for CSRs. This is defined in RFC 2986.

 

To generate a certificate request in FortiOS – web-based manager:

1. Go to System > Certificates > Local Certificates.

2. Select Generate.

3. In the Certificate Name field, enter a unique meaningful name for the certificate request. Typically, this would be the hostname or serial number of the FortiGate unit or the domain of the FortiGate unit such as example.com.

Do not include spaces in the certificate name. This will ensure compatibility of a signed certificate as a PKCS12 file to be exported later on if required.

4. Enter values in the Subject Information area to identify the FortiGate unit:

  • If the FortiGate unit has a static IP address, select Host IPand enter the public IP address of the FortiGate unit. If the FortiGate unit does not have a public IP address, use an email address (or fully qualified domain name (FQDN) if available) instead.
  • If the FortiGate unit has a dynamic IP address and subscribes to a dynamic DNS service, use a FQDN if available to identify the FortiGate unit. If you select Domain Name, enter the FQDN of the FortiGate unit. Do not include the protocol specification (http://) or any port number or path names.

If a domain name is not available and the FortiGate unit subscribes to a dynamic DNS service, an “unable to verify certificate” type message may be displayed in the user’s browser whenever the public IP address of the FortiGate unit changes.

  • If you select EMail, enter the email address of the owner of the FortiGate unit.

5. Enter values in the Optional Information area to further identify the FortiGate unit.

Organization Unit                     Name of your department. You can enter a series of OUs up to a maximum of 5. To add or remove an OU, use the plus (+) or minus (-) icon.

Organization                              Legal name of your company or organization.

Locality (City)                            Name of the city or town where the FortiGate unit is installed.

State/Province                           Name of the state or province where the FortiGate unit is installed.

Country                                      Select the country where the FortiGate unit is installed.

email                                          Contact email address.

Subject Alternative Name                Optionally, enter one or more alternative names for which the certificate is also valid. Separate names with a comma. A name can be:

  • e-mail address
  • IP address
  • URI
  • DNS name (alternatives to the Common Name)
  • directory name (alternatives to the Distinguished Name)

You must precede the name with the name type. Examples: IP:1.1.1.1

email:test@fortinet.com

email:my@other.address

URI:http://my.url.here/

6. From the Key Type list, select RSA or Elliptic Curve.

7. From the Key Size list, select 1024 Bit, 1536 Bit, 2048 Bit or secp256r1, secp384r1, secp521r1 respectively.

Larger keys are slower to generate but more secure.

8. In Enrollment Method, you have two methods to choose from. Select File Based to generate the certificate request, or Online SCEP to obtain a signed SCEP-based certificate automatically over the network. For the

SCEP method, enter the URL of the SCEP server from which to retrieve the CA certificate, and the CA server challenge password.

9. Select OK.

10. The request is generated and displayed in the Local Certificates list with a status of PENDING.

11. Select the Download button to download the request to the management computer.

12. In the File Download dialog box, select Save and save the Certificate Signing Request on the local file system of the management computer.

13. Name the file and save it on the local file system of the management computer. The certificate request is ready for the certificate authority to be signed.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.