FortiWLC – Security Certificates

Security Certificates

Certificates provide security assurance validated by a Certificate Authority (CA). This chapter describes the process to obtain and use certificates. For a Custom Certificate to work properly, you must import not only the Server Certificate, but the entire chain of trust starting with the issuer certificate all the way up to the Root CA (see Figure 46).

Server certificates are generated based on a specific CSR (see Figure 45) and, along with the server certificate, you should get the entire chain of trust (see Figure 46).

Figure 45: Sample CSR Sent to CA

Figure 46: Sample Certificates Returned by CA (Server, Intermediate, and Root)

Generate a CSR on a Controller

To create a Certificate Request, follow these steps from the controller that needs a certificate:

  1. Click Configuration > Certificates > Controller Certificates. The Controller Certificate window displays.
  2. Click Add. The Certificate Add window displays.
  3. Provide the requested information in this window.
  4. Click Apply.
  5. The CSR is generated and appears in a window.
  6. Either copy this Certificate PEM for pasting into a submittal form or click Save to save the CSR as a file.
  7. Click Close.
  8. Send the CSR to the Certificate issuer to be processed. If the CA asks for the operating system type, select Open SSL (if available) or Other.

The Certificate entry now displays in the Server Certificates page under “Pending CSR.” This entry will be matched to the certificates when they arrive and imported, ensuring that the controller that requested certificates is the only one to use those certificates.

Generate a Wildcard Certificate

The SD support wildcard certificate for both tunnel and bridge mode captive portal. To create a Wildcard Certificate Request, follow these steps:

  1. Click Configuration > Certificates > Controller Certificates. The Controller Certificate window displays.
  2. Click Add. The Certificate Add window displays.
  3. Enter the details in the General section.
  4. Enter the Common Name as *.name in Distinguished Name (DN) section. For example *.merunetworks.com.
  5. Click Apply.
  6. The CSR is generated and appears in a window.
  7. Either copy this Certificate PEM for pasting into a submittal form or click Save to save the CSR as a file.
  8. Click Close.
  9. Send the CSR to the Certificate issuer to be processed. If the CA asks for the operating system type, select Open SSL (if available) or Other.

The Certificate entry now displays in the Server Certificates page under “Pending CSR.” This entry will be matched to the certificates when they arrive and imported, ensuring that the controller that requested certificates is the only one to use those certificates.

Import the Certificate

Remember that you MUST add the Root Certificate and ALL Intermediate Certificates in the chain of trust before you install the signed Server Certificate; if you don’t install in order, you get an error.

To import a Trusted Root CA and the entire chain of trust that you receive from a CA, follow these steps:

  1. Click Configuration > Certificates> Trusted Root CA.
  2. Click Import.
  3. Browse to the Root CA file and select it.
  4. Click Open and give the Certificate an appropriate alias name.

You can also open the certificate in any text editor and copy/paste the Certificate’s PEM text into the “Certificate PEM” blank text area shown below.

  1. Click Import.

You should see a message indicating that the import was successful.

  1. Click OK > Close.
  2. Repeat steps 2 – 6 for all certificates.

You should now see all certificates imported into the controller

  1. Import the Server Certificate by clicking Configuration > Certificates > Controller Certificates > Pending CSR > Import.
  2. Browse to the server certificate, select it and click Import > Open > Import.

10.Click OK > Close > Close.

11.Restart the web server by navigating to Maintenance > Reboot System and checking the Reboot Controller box located towards the top of the window. Click Reboot to perform the action.

You are finished importing the certificates.

Assign a Server Certificate to an Application

Certificates can be used for security purposes (i.e., for RADIUS termination) as well as by Captive Portal or Web Administration tools. To assign the Server Certificate:

  1. Select the certificate in the Controller Certificates table.
  2. Click Applications. The Applications dialog displays.

Figure 47: Applications to Use Certificate

a

  1. Use the drop-down menus provided to specific the certificates to be used for the desired applications.
  2. Click Apply.
  3. Click Close.
  4. To ensure that the certificate is applied and activated correctly, use the reload-security command from the system’s CLI.

The Apache Web Server needs to be restarted after successfully assigning a certificate to be used by Captive Portal and/or Management Applications.

AP Certificates

VPN applications require a security certificate to be installed on both the AP and the controller before secure communication between the two can proceed. Follow the instructions provided in the following sections in order to properly set up an AP for VPN connectivity.

Some AP models come with the certificate pre-installed and therefore do not need one to be generated for them. If your AP already shows “Certificate Installed” in the VPN AP table (see “Adding VPN APs” on page 253), you do not need to go through this process.

Generating an AP CSR

Prior to installing an AP certificate, a Certificate Signing Request (CSR) specific to the desired AP must be generated via the FortiWLC (SD) WebUI. Perform the following steps to create and submit a CSR for a specific AP.

  1. From the WebUI, navigate to Configuration > Certificates > AP Certificates. The AP Certificates table appears.

Figure 48: AP Certificates Table

  1. Select the desired AP in the AP table and click Create CSR. The CSR dialog appears. Figure 49: CSR Configuration
  2. In the resulting dialog, the “Valid Till” field specifies the duration of the certificate. Enter the number of days for which the certificate should be valid and click Apply.

The AP table will refresh a few times as the CSR generation proceeds. The “User Req Status” column will display its progress, ranging from “CSR Generation in Progress” to “CSR Generated”. If the column doesn’t refresh, click Refresh.

  1. Once you see “CSR Generated”, you are ready to proceed to export the CSR so that it may be submitted to a Certificate Authority.
Exporting the CSR

After the CSR has been generated, it can be exported into an individual file so that it may be provided to a Certificate Authority server for verification.

  1. From the AP Certificates table, click the desired AP (if not already selected) and click Export.
  2. Download the resulting exported file to your local machine.
  3. Upload the exported file to your Certificate Authority server. The server should provide two files in return:
    • An AP certificate generated using the CSR
    • A Root CA certificate

If you have not already installed the Certificate Authority’s Trusted Root CA certificate on the system, do so by following the steps detailed in “Import the Certificate” on page 245 earlier in this chapter. Note that this must be done prior to installing the certificate on the AP.

Installing the AP Certificate

Once all the previous steps are completed, you are ready to install the certificate on the AP itself.

  1. From the AP Certificates table (Configuration > Certificates > AP Certificates), select the desired AP and click Import.
  2. In the resulting pop-up window, enter the certificate alias name in the field provided.
  3. Click Choose File and browse to the AP certificate provided by the Certificate Authority.
  4. Click Save. After a few seconds, a message displays stating “Certificate imported successfully” and the “Certificate Status” column will show “Cert Installed”. If these messages don’t seem to display properly, click Refresh to update the table.

The AP is now certified and ready for use.

It is recommended that all AP certificates be installed on their APs prior to configuring and deploying them for VPN use. Once all certificates have been installed, refer to “Configuring the VPN” on page 252 for instructions.

 

Troubleshooting Certificates

.The following errors can occur during the certificate process.

Error Message Why It Appeared How to Correct Problem
  Certificate file is not a valid x.509 certificate Certificate file is corrupt or not a X.509 certificate (PEM/DER) file. Navigate to a valid X.509 certificate file.  
  Certificate has expired or not yet valid Certificates are valid for a specified number of days with Start Date (Valid From) and End Date (Valid To). This certificate is not valid at this time. Make sure that the Certificates Start Date (Valid From) and End Date (Valid To) range is current.

If the certificate Start Date is in future, then wait till that time to import the certificate. If the certificate has expired, then get another certificate issued by the CA.

 
  Certificate alias name already exists Another certificate with same alias name has already been imported. Use a different alias name.  
  Certificate already exists (with either same alias name or different alias name) Certificate has already been imported. Do nothing.  
  Certificate Public key verification failed You selected an alias name that is different from the certificate’s CSR alias name. Select the alias name that you used when creating the CSR for this certificate.  
  Certificate’s Issuers verification failed The Issuers certificates (complete chain-of-trust) is not available in

Trusted Root CA’s list. The most com-

Import the Trusted Root CA certificates chain of trust first.

Then import the Server Certificate.

 
  mon cause is that you tried to import an intermediate or server certificate first.  
This entry was posted in Administration Guides, FortiWLC on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.