Obtaining and installing a signed server certificate from an external CA
To obtain a signed server certificate for a FortiGate unit, you must send a request to a CA that provides digital certificates that adhere to the X.509 standard. The FortiGate unit provides a way for you to generate the request.
To submit the certificate signing request (file-based enrollment):
- Using the web browser on the management computer, browse to the CA web site.
- Follow the CA instructions for a base-64 encoded PKCS#10 certificate request and upload your certificate request.
- Follow the CA instructions to download their root certificate and CRL.
When you receive the signed server certificate from the CA, install the certificate on the FortiGate unit.
To install or import the signed server certificate – web-based manager
- On the FortiGate unit, go to System > Certificates and select Import > Local Certificates.
- From Type, select Local Certificate.
- Select Browse, browse to the location on the management computer where the certificate was saved, select the certificate, and then select Open.
- Select OK, and then select Return.
Installing a CA root certificate and CRL to authenticate remote clients
When you apply for a signed personal or group certificate to install on remote clients, you can obtain the corresponding root certificate and CRL from the issuing CA. When you receive the signed personal or group certificate, install the signed certificate on the remote client(s) according to the browser documentation. Install the corresponding root certificate (and CRL) from the issuing CA on the FortiGate unit according to the procedures given below.
To install a CA root certificate
- After you download the root certificate of the CA, save the certificate on the management computer. Or, you can use online SCEP to retrieve the certificate.
- On the FortiGate unit, go to System > Certificates and select Import > CA Certificates.
- Do one of the following:
- To import using SCEP, select SCEP. Enter the URL of the SCEP server from which to retrieve the CA certificate. Optionally, enter identifying information of the CA, such as the filename.
- To import from a file, select Local PC, then select Browse and find the location on the management computer where the certificate has been saved. Select the certificate, and then select Open.
- Select OK, and then select Return.
The system assigns a unique name to each CA certificate. The names are numbered consecutively (CA_Cert_1, CA_Cert_2, CA_Cert_3, and so on).
To import a certificate revocation list
A Certificate Revocation List (CRL) is a list of the CA certificate subscribers paired with certificate status information. The list contains the revoked certificates and the reason(s) for revocation. It also records the certificate issue dates and the CAs that issued them.
Troubleshooting
When configured to support SSL VPNs, the FortiGate unit uses the CRL to ensure that the certificates belonging to the CA and remote peers or clients are valid. The CRL has an “effective date” and a “next update” date. The interval is typically 7 days (for Microsoft CA). FortiOS will update the CRL automatically. Also, there is a CLI command to specify an “update-interval” in seconds. Recommendation should be 24 hours (86400 seconds) but depends on company security policy.
- After you download the CRL from the CA web site, save the CRL on the management computer.
- Go to System > Certificates and select Import > CRL.
- Do one of the following:
- To import using an HTTP server, select HTTP and enter the URL of the HTTP server. l To import using an LDAP server see this KB article.
- To import using an SCEP server, select SCEP and select the Local Certificate from the list. Enter the URL of the SCEP server from which the CRL can be retrieved.
- To import from a file, select Local PC, then select Browse and find the location on the management computer where the CRL has been saved. Select the CRL and then select Open.
- Select OK, and then select Return.
To import a PKCS12 certificate from the CLI
The following CLI syntax can be entered to import a local certificate file:
execute vpn certificate local import tftp <file name> <tftp ip address> <file type> <Enter for ‘cer’>|<password for ‘p12’>
For example:
execute vpn certificate local import tftp FGTF-extern.p12 10.1.100.253 p12 123456
ExtendedKeyUsage for x.509 certificates
As per Network Device Collaborative Protection Profile (NDcPP) v1.0 requirements, server certificates used for TLS connections between FortiGate and FortiAnalyzer have the “Server Authentication” and “Client Authentication” extendedKeyUsage fields in FIPS/CC mode.
The following CLI command is available under log fortianalyzer setting to allow you to specify the certificate used to communicate with FortiAnalyzer.
CLI syntax
config log fortianalyzer setting set certificate <name>
end