Certificate-based authentication

Generating a certificate signing request

Whether you create certificates locally with a software application or obtain them from an external certificate service, you will need to generate a certificate signing request (CSR).

When you generate a CSR, a private and public key pair is created for the FortiGate unit. The generated request includes the public key of the FortiGate unit and information such as the FortiGate unit’s public static IP address, domain name, or email address. The FortiGate unit’s private key remains confidential on the FortiGate unit.

After you submit the request to a CA, the CA will verify the information and register the contact information on a digital certificate that contains a serial number, an expiration date, and the public key of the CA. The CA will then sign the certificate, and you install the certificate on the FortiGate unit.

The Certificate Request Standard is a public key cryptography standard (PKCS) published by RSA, specifically PKCS10 which defines the format for CSRs. This is defined in RFC 2986.

To generate a certificate request in FortiOS – web-based manager:

  1. Go to System > Certificates.
  2. Select Generate.
  3. In the Certificate Name field, enter a unique meaningful name for the certificate request. Typically, this would be the hostname or serial number of the FortiGate unit or the domain of the FortiGate unit such as example.com.

Prior to FortiOS 5.4, passwords for local certificates that were generated via either SCEP or CLI could not have their passwords reset. Passwords can be set in the CLI using the following command:

config vpn certificate local edit <name> set password <password>

next end

  1. Enter values in the Subject Information area to identify the FortiGate unit:
    • If the FortiGate unit has a static IP address, select Host IPand enter the public IP address of the FortiGate unit. If the FortiGate unit does not have a public IP address, use an email address (or fully qualified domain name (FQDN) if available) instead.
    • If the FortiGate unit has a dynamic IP address and subscribes to a dynamic DNS service, use a FQDN if available to identify the FortiGate unit. If you select Domain Name, enter the FQDN of the FortiGate unit. Do not include the protocol specification (http://) or any port number or path names.

If a domain name is not available and the FortiGate unit subscribes to a dynamic DNS service, an “unable to verify certificate” type message may be displayed in the user’s browser whenever the public IP address of the FortiGate unit changes.

  • If you select E-Mail, enter the email address of the owner of the FortiGate unit.
  1. Enter values in the Optional Information area to further identify the FortiGate unit.
Organization Unit Name of your department. You can enter a series of OUs up to a maximum of 5. To add or remove an OU, use the plus (+) or minus (-) icon.
Organization Legal name of your company or organization.
Locality (City) Name of the city or town where the FortiGate unit is installed.
State/Province Name of the state or province where the FortiGate unit is installed.
Country Select the country where the FortiGate unit is installed.
e-mail Contact email address.
Subject Alternative Name Optionally, enter one or more alternative names for which the certificate is also valid. Separate names with a comma. A name can be:

l e-mail address l IP address l URI l DNS name (alternatives to the Common Name) l directory name (alternatives to the Distinguished Name)

You must precede the name with the name type. Examples:

IP:1.1.1.1 email:test@fortinet.com email:my@other.address

URI:http://my.url.here/

Password for private key Option to export local certificate and its private key in password protected p12.
  1. From the Key Type list, select RSA or Elliptic Curve.
  2. From the Key Size list, select 1024 Bit, 1536 Bit, 2048 Bit, 4096 Bit or secp256r1, secp384r1, secp521r1 Larger keys are slower to generate but more secure.
  3. In Enrollment Method, you have two methods to choose from. Select File Based to generate the certificate request, or Online SCEP to obtain a signed SCEP-based certificate automatically over the network. For the SCEP method, enter the URL of the SCEP server from which to retrieve the CA certificate, and the CA server challenge password.

Managing X.509

  1. Select OK.
  2. The request is generated and displayed in the Local Certificates list with a status of PENDING.
  3. Select the Download button to download the request to the management computer.
  4. In the File Download dialog box, select Save and save the Certificate Signing Request on the local file system of the management computer.
  5. Name the file and save it on the local file system of the management computer. The certificate request is ready for the certificate authority to be signed.

This entry was posted in FortiGate, FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.