Certificate-based authentication

Generating certificates with CA software

CA software allows you to generate unmanaged certificates and CA certificates for managing other certificates locally without using an external CA service. Examples of CA software include ssl-ca from OpenSSL (available for Linux, Windows, and Mac) or gensslcert from SuSE, MS Windows Server 2000 and 2003 come with a CA as part of their certificate services, and in MS Windows 2008 CA software can be installed as part of the Active Directory installation. See Example — Generate and Import CA certificate with private key pair on OpenSSL on page 124.

The general steps for generating certificates with CA software are

  1. Install the CA software as a stand-alone root CA.
  2. Provide identifying information for your self-administered CA.

While following these steps, the methods vary slightly when generating server certificates, CA certificates, and PKI certificates.

Server certificate

  1. Generate a Certificate Signing Request (CSR) on the FortiGate unit.
  2. Copy the CSR base-64 encoded text (PKCS10 or PKCS7) into the CA software and generate the certificate. PKCS10 is the format used to send the certificate request to the signing authority. PKCS7 is the format the signing authority can use for the newly signed certificate.
  3. Export the certificate as a X.509 DER encoded binary file with .CER extension
  4. Upload the certificate file to the FortiGate unit Local Certificates page (type is Certificate).

CA certificate

  1. Retrieve the CA Certificate from the CA software as a DER encoded file.
  2. Import the CA certificate file to the FortiGate unit at System > Certificates and select Import > Certificates.

PKI certificate

  1. Generate a Certificate Signing Request (CSR) on the FortiGate unit.
  2. Copy the CSR base-64 encoded text (PKCS#10 or PKCS#7) into the CA software and generate the certificate. PKCS10 is the format used to send the certificate request to the signing authority. PKCS7 is the format the signing authority can use for the newly signed certificate.
  3. Export the certificate as a X.509 DER encoded binary file with .CER extension.
  4. Install the certificate in the user’s web browser or IPsec VPN client as needed.

This entry was posted in FortiGate, FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.