Certificate-based authentication

Example — Generate and Import CA certificate with private key pair on OpenSSL

This example explains how to generate a certificate using OpenSSL on MS Windows. OpenSSL is available for Linux and Mac OS as well, however their terminology will vary slightly from what is presented here.

and Import CA certificate with private key pair on OpenSSL

Assumptions

Before starting this procedure, ensure that you have downloaded and installed OpenSSL on Windows. One source is: http://www.slproweb.com/products/Win32OpenSSL.html.

Generating and importing the CA certificate and private key

The two following procedures will generate a CA certificate file and private key file, and then import it to the FortiGate unit as a local certificate.

To generate the private key and certificate

  1. At the Windows command prompt, go to the OpenSSL bin directory. If you installed to the default location this will be the command:

cd c:\OpenSSL-Win32\bin

  1. Enter the following command to generate the private key. You will be prompted to enter your PEM pass phrase. Choose something easy to remember such as fortinet123.

openssl genrsa -aes256 -out fgtcapriv.key 2048

This command generates an RSA AES256 2048-bit encryption key.

  1. The following command will generate the certificate using the key from the previous step.

openssl req -new -x509 -days 3650 -extensions v3_ca -key fgtcapriv.key -out fgtca.crt

This step generates an X509 CA certificate good for 10 years that uses the key generated in the previous step. The certificate filename is fgtca.crt.

You will be prompted to enter information such as PEM Pass Phrase from the previous step, Country Name, State, Organization Name, Organizational Unit (such as department name), Common Name (the FQDN), and Email Address.

To import the certificate to the FortiGate unit – web-based manager:

  1. Go to System > Certificates.
  2. Select Import > Local Certificate.
  3. Select Certificate for Type.

Fields for Certificate file, Key file, and Password are displayed.

  1. For Certificate file, enter c:\OpenSSL-Win32\bin\fgtca.crt.
  2. For Key file, enter c:\OpenSSL-Win32\bin\fgtcapriv.key.
  3. For Password, enter the PEM Pass Phrase you entered earlier, such as fortinet123.
  4. Select OK.

The Certificate will be added to the list of Local Certificates and be ready for use. It will appear in the list as the filename you uploaded — fgtca.You can add comments to this certificate to make it clear where its from and how it is intended to be used. If you download the certificate from FortiOS, it is a .CER file.

Example — Generate an SSL certificate in

It can now be used in Authenticating IPsec VPN users with security certificates on page 122, and Authenticating SSL VPN users with security certificates on page 121.

Optionally, you can install the certificate as a CA Certificate. CA certificates are used in HTTPS proxy/inspection. To do this, under System > Certificates select Import > CA Certificate. Select Local PC and enter the certificate file c:\OpenSSL-Win32\bin\fgtca.crt. Then select OK. This certificate will be displayed in the CA Certificate list under the name CA_Cert_1.

Example — Generate an SSL certificate in OpenSSL

This example explains how to generate a CA signed SSL certificate using OpenSSL on MS Windows. OpenSSL is available for Linux and Mac OS as well, however their terminology will vary slightly from what is presented here.

In this example, you will:

  • Generate a CA signed SSL certificate
  • Generate a self-signed SSL certificate
  • Import the SSL certificate into FortiOS

Assumptions

Before starting this procedure, ensure that you have downloaded and installed OpenSSL on MS Windows. One download source is http://www.slproweb.com/products/Win32OpenSSL.html.

Generating a CA signed SSL certificate

This procedure assumes that you have already completed Example — Generate and Import CA certificate with private key pair on OpenSSL on page 124 successfully.

To generate the CA signed SSL certificate:

  1. At the Windows command prompt, go to the OpenSSL bin directory. If you installed to the default location this will be the following command:

cd c:\OpenSSL-Win32\bin

  1. Enter the following command to generate the private key. You will be prompted to enter your PEM pass phrase. Choose something easy to remember such as fortinet.

openssl genrsa -aes256 -out fgtssl.key 2048

This command generates an RSA AES256 2048-bit encryption key.

  1. Create a certificate signing request for the SSL certificate. This step requires you to enter the information listed in step 3 of the previous example — To generate the private key and certificate. You can leave the Challenge Password blank.

openssl req -new -sha256 -key fgtssl.key -out fgtssl.csr

an SSL certificate in OpenSSL

Most Certificate Authorities will ignore the value that is set in the CSR and use whatever value they are set to use in their configuration. This means that the client will likely need to modify their openssl.conf file to use SHA-256 (or another SHA-2 variant).

  1. Using the CSR from the previous step, you can now create the SSL certificate using the CA certificate that was created in Example — Generate and Import CA certificate with private key pair on OpenSSL.

openssl x509 -req -days 365 -in fgtssl.csr -CA fgtca.crt -CAkey fgtcapriv.key -set_ serial 01 -out fgtssl.crt

This will generate an X.509 certificate good for 365 days signed by the CA certificate fgtca.crt.

Generating a self-signed SSL certificate

This procedures does not require any existing certificates.

  1. At the Windows command prompt, go to the OpenSSL bin directory. If you installed to the default location this will be the following command:

cd c:\OpenSSL-Win32\bin

  1. Enter the following command to generate the private key. You will be prompted to enter your PEM pass phrase. Choose something easy to remember such as fortinet.

openssl genrsa -aes256 -out fgtssl.key 2048 openssl req -new -key fgtssl.key -out fgtssl.csr openssl x509 -req -days 365 -in fgtssl.csr -signkey fgtssl.key -out fgtssl.crt

These commands:

  • generate an RSA AES256 2048-bit private key,
  • generate an SSL certificate signing request, and l sign the CSR to generate an SSL .CRT certificate file.

This entry was posted in FortiGate, FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.