Example — Generate and Import CA certificate with private key pair on OpenSSL
This example explains how to generate a certificate using OpenSSL on MS Windows. OpenSSL is available for Linux and Mac OS as well, however their terminology will vary slightly from what is presented here.
and Import CA certificate with private key pair on OpenSSL
Assumptions
Before starting this procedure, ensure that you have downloaded and installed OpenSSL on Windows. One source is: http://www.slproweb.com/products/Win32OpenSSL.html.
Generating and importing the CA certificate and private key
The two following procedures will generate a CA certificate file and private key file, and then import it to the FortiGate unit as a local certificate.
To generate the private key and certificate
- At the Windows command prompt, go to the OpenSSL bin directory. If you installed to the default location this will be the command:
cd c:\OpenSSL-Win32\bin
- Enter the following command to generate the private key. You will be prompted to enter your PEM pass phrase. Choose something easy to remember such as fortinet123.
openssl genrsa -aes256 -out fgtcapriv.key 2048
This command generates an RSA AES256 2048-bit encryption key.
- The following command will generate the certificate using the key from the previous step.
openssl req -new -x509 -days 3650 -extensions v3_ca -key fgtcapriv.key -out fgtca.crt
This step generates an X509 CA certificate good for 10 years that uses the key generated in the previous step. The certificate filename is fgtca.crt.
You will be prompted to enter information such as PEM Pass Phrase from the previous step, Country Name, State, Organization Name, Organizational Unit (such as department name), Common Name (the FQDN), and Email Address.
To import the certificate to the FortiGate unit – web-based manager:
- Go to System > Certificates.
- Select Import > Local Certificate.
- Select Certificate for Type.
Fields for Certificate file, Key file, and Password are displayed.
- For Certificate file, enter c:\OpenSSL-Win32\bin\fgtca.crt.
- For Key file, enter c:\OpenSSL-Win32\bin\fgtcapriv.key.
- For Password, enter the PEM Pass Phrase you entered earlier, such as fortinet123.
- Select OK.
The Certificate will be added to the list of Local Certificates and be ready for use. It will appear in the list as the filename you uploaded — fgtca.You can add comments to this certificate to make it clear where its from and how it is intended to be used. If you download the certificate from FortiOS, it is a .CER file.
Example — Generate an SSL certificate in
It can now be used in Authenticating IPsec VPN users with security certificates on page 122, and Authenticating SSL VPN users with security certificates on page 121.
Optionally, you can install the certificate as a CA Certificate. CA certificates are used in HTTPS proxy/inspection. To do this, under System > Certificates select Import > CA Certificate. Select Local PC and enter the certificate file c:\OpenSSL-Win32\bin\fgtca.crt. Then select OK. This certificate will be displayed in the CA Certificate list under the name CA_Cert_1.
Example — Generate an SSL certificate in OpenSSL
This example explains how to generate a CA signed SSL certificate using OpenSSL on MS Windows. OpenSSL is available for Linux and Mac OS as well, however their terminology will vary slightly from what is presented here.
In this example, you will:
- Generate a CA signed SSL certificate
- Generate a self-signed SSL certificate
- Import the SSL certificate into FortiOS
Assumptions
Before starting this procedure, ensure that you have downloaded and installed OpenSSL on MS Windows. One download source is http://www.slproweb.com/products/Win32OpenSSL.html.
Generating a CA signed SSL certificate
This procedure assumes that you have already completed Example — Generate and Import CA certificate with private key pair on OpenSSL on page 124 successfully.
To generate the CA signed SSL certificate:
- At the Windows command prompt, go to the OpenSSL bin directory. If you installed to the default location this will be the following command:
cd c:\OpenSSL-Win32\bin
- Enter the following command to generate the private key. You will be prompted to enter your PEM pass phrase. Choose something easy to remember such as fortinet.
openssl genrsa -aes256 -out fgtssl.key 2048
This command generates an RSA AES256 2048-bit encryption key.
- Create a certificate signing request for the SSL certificate. This step requires you to enter the information listed in step 3 of the previous example — To generate the private key and certificate. You can leave the Challenge Password blank.
openssl req -new -sha256 -key fgtssl.key -out fgtssl.csr
an SSL certificate in OpenSSL
Most Certificate Authorities will ignore the value that is set in the CSR and use whatever value they are set to use in their configuration. This means that the client will likely need to modify their openssl.conf file to use SHA-256 (or another SHA-2 variant).
- Using the CSR from the previous step, you can now create the SSL certificate using the CA certificate that was created in Example — Generate and Import CA certificate with private key pair on OpenSSL.
openssl x509 -req -days 365 -in fgtssl.csr -CA fgtca.crt -CAkey fgtcapriv.key -set_ serial 01 -out fgtssl.crt
This will generate an X.509 certificate good for 365 days signed by the CA certificate fgtca.crt.
Generating a self-signed SSL certificate
This procedures does not require any existing certificates.
- At the Windows command prompt, go to the OpenSSL bin directory. If you installed to the default location this will be the following command:
cd c:\OpenSSL-Win32\bin
- Enter the following command to generate the private key. You will be prompted to enter your PEM pass phrase. Choose something easy to remember such as fortinet.
openssl genrsa -aes256 -out fgtssl.key 2048 openssl req -new -key fgtssl.key -out fgtssl.csr openssl x509 -req -days 365 -in fgtssl.csr -signkey fgtssl.key -out fgtssl.crt
These commands:
- generate an RSA AES256 2048-bit private key,
- generate an SSL certificate signing request, and l sign the CSR to generate an SSL .CRT certificate file.