Generating a certificate signing request
Whether you create certificates locally with a software application or obtain them from an external certificate service, you will need to generate a certificate signing request (CSR).
When you generate a CSR, a private and public key pair is created for the FortiGate unit. The generated request includes the public key of the FortiGate unit and information such as the FortiGate unit’s public static IP address, domain name, or email address. The FortiGate unit’s private key remains confidential on the FortiGate unit.
After you submit the request to a CA, the CA will verify the information and register the contact information on a digital certificate that contains a serial number, an expiration date, and the public key of the CA. The CA will then sign the certificate, and you install the certificate on the FortiGate unit.
The Certificate Request Standard is a public key cryptography standard (PKCS) published by RSA, specifically PKCS10 which defines the format for CSRs. This is defined in RFC 2986.
To generate a certificate request in FortiOS – web-based manager:
- Go to System > Certificates.
- Select Generate.
- In the Certificate Name field, enter a unique meaningful name for the certificate request. Typically, this would be the hostname or serial number of the FortiGate unit or the domain of the FortiGate unit such as example.com.
Prior to FortiOS 5.4, passwords for local certificates that were generated via either SCEP or CLI could not have their passwords reset. Passwords can be set in the CLI using the following command:
config vpn certificate local edit <name> set password <password>
next end
- Enter values in the Subject Information area to identify the FortiGate unit:
- If the FortiGate unit has a static IP address, select Host IPand enter the public IP address of the FortiGate unit. If the FortiGate unit does not have a public IP address, use an email address (or fully qualified domain name (FQDN) if available) instead.
- If the FortiGate unit has a dynamic IP address and subscribes to a dynamic DNS service, use a FQDN if available to identify the FortiGate unit. If you select Domain Name, enter the FQDN of the FortiGate unit. Do not include the protocol specification (http://) or any port number or path names.
If a domain name is not available and the FortiGate unit subscribes to a dynamic DNS service, an “unable to verify certificate” type message may be displayed in the user’s browser whenever the public IP address of the FortiGate unit changes.
- If you select E-Mail, enter the email address of the owner of the FortiGate unit.
- Enter values in the Optional Information area to further identify the FortiGate unit.
Organization Unit | Name of your department. You can enter a series of OUs up to a maximum of 5. To add or remove an OU, use the plus (+) or minus (-) icon. |
Organization | Legal name of your company or organization. |
Locality (City) | Name of the city or town where the FortiGate unit is installed. |
State/Province | Name of the state or province where the FortiGate unit is installed. |
Country | Select the country where the FortiGate unit is installed. |
Contact email address. | |
Subject Alternative Name | Optionally, enter one or more alternative names for which the certificate is also valid. Separate names with a comma. A name can be:
l e-mail address l IP address l URI l DNS name (alternatives to the Common Name) l directory name (alternatives to the Distinguished Name) You must precede the name with the name type. Examples: IP:1.1.1.1 email:test@fortinet.com email:my@other.address URI:http://my.url.here/ |
Password for private key | Option to export local certificate and its private key in password protected p12. |
- From the Key Type list, select RSA or Elliptic Curve.
- From the Key Size list, select 1024 Bit, 1536 Bit, 2048 Bit, 4096 Bit or secp256r1, secp384r1, secp521r1 Larger keys are slower to generate but more secure.
- In Enrollment Method, you have two methods to choose from. Select File Based to generate the certificate request, or Online SCEP to obtain a signed SCEP-based certificate automatically over the network. For the SCEP method, enter the URL of the SCEP server from which to retrieve the CA certificate, and the CA server challenge password.
Managing X.509
- Select OK.
- The request is generated and displayed in the Local Certificates list with a status of PENDING.
- Select the Download button to download the request to the management computer.
- In the File Download dialog box, select Save and save the Certificate Signing Request on the local file system of the management computer.
- Name the file and save it on the local file system of the management computer. The certificate request is ready for the certificate authority to be signed.