Generating certificates with CA software
CA software allows you to generate unmanaged certificates and CA certificates for managing other certificates locally without using an external CA service. Examples of CA software include ssl-ca from OpenSSL (available for Linux, Windows, and Mac) or gensslcert from SuSE, MS Windows Server 2000 and 2003 come with a CA as part of their certificate services, and in MS Windows 2008 CA software can be installed as part of the Active Directory installation. See Example — Generate and Import CA certificate with private key pair on OpenSSL on page 124.
The general steps for generating certificates with CA software are
- Install the CA software as a stand-alone root CA.
- Provide identifying information for your self-administered CA.
While following these steps, the methods vary slightly when generating server certificates, CA certificates, and PKI certificates.
Server certificate
- Generate a Certificate Signing Request (CSR) on the FortiGate unit.
- Copy the CSR base-64 encoded text (PKCS10 or PKCS7) into the CA software and generate the certificate. PKCS10 is the format used to send the certificate request to the signing authority. PKCS7 is the format the signing authority can use for the newly signed certificate.
- Export the certificate as a X.509 DER encoded binary file with .CER extension
- Upload the certificate file to the FortiGate unit Local Certificates page (type is Certificate).
CA certificate
- Retrieve the CA Certificate from the CA software as a DER encoded file.
- Import the CA certificate file to the FortiGate unit at System > Certificates and select Import > Certificates.
PKI certificate
- Generate a Certificate Signing Request (CSR) on the FortiGate unit.
- Copy the CSR base-64 encoded text (PKCS#10 or PKCS#7) into the CA software and generate the certificate. PKCS10 is the format used to send the certificate request to the signing authority. PKCS7 is the format the signing authority can use for the newly signed certificate.
- Export the certificate as a X.509 DER encoded binary file with .CER extension.
- Install the certificate in the user’s web browser or IPsec VPN client as needed.