Fortinet black logo

Administration Guide

Local CAs

Local CAs

The FortiAuthenticator device can act as a self-signed, or local, CA.

To view the certificate information, go to Certificate Management > Certificate Authorities > Local CAs.

The following information in shown:

Create New Create a new CA certificate.
Import Import a CA certificate. See Importing CA certificates and signing requests.
Revoke Revoke the selected CA certificate.
Delete Delete the selected CA certificate.
Export Certificate Save the selected CA certificate to your computer.
Export Key and Cert Save the selected intermediate CA certificate and private key to your computer.
Search Enter a search term in the search field, then press Enter to search the CA certificate list. The search will return certificates that match either the subject or issuer.
Filter Select to filter the displayed CAs by status. The available selections are: All, Pending, Expired, Revoked, and Active.
Certificate ID The CA certificate ID.
Subject The CA certificate subject.
Issuer The issuer of the CA certificate.
Status The status of the CA certificate.
CA Type The CA type of the CA certificate.
To create a CA certificate:
  1. From the local CA certificate list, select Create New. The Create New Local CA Certificate window opens.
  2. Enter the following information:
    Certificate IDEnter a unique ID for the CA certificate.
    Certificate Authority Type
    Certificate type

    Select one of the following options:

    • Root CA certificate: A self-signed CA certificate.
    • Intermediate CA certificate: A CA certificate that refers to a different root CA as the authority.
    • Intermediate CA certificate signing request (CSR)
    Certificate authority

    Select one of the available CAs from the dropdown menu.

    This field is only available when the certificate type is Intermediate CA certificate.

    Use netHSM

    Select one of the available NetHSMs from the dropdown menu. See NetHSMs.

    This field is only available when the certificate type is Root CA.

    Subject Information
    Subject input methodSelect the subject input method, either Fully distinguished name or Field-by-field.
    Subject DN

    If the subject input method is Fully distinguished name, enter the full distinguished name of the subject. There should be no spaces between attributes.

    Valid DN attributes are DC, C, ST, L, O, OU, CN, and emailAddress. They are case-sensitive.

    Name (CN)

    If the subject input method is Field-by-field, enter the subject name in the Name (CN) field, and optionally enter the following fields:

    • Department (OU)
    • Company (O)
    • City (L)
    • State/Province (ST)
    • Country (C) (select from dropdown menu)
    • Email address
    Key and Signing Options
    Validity period

    Select the amount of time before this certificate expires.

    Select Set length of time to enter a specific number of days, or select Set an expiry date and enter the specific date on which the certificate expires.

    This option is not available when the certificate type is set to Intermediate CA certificate signing request (CSR).

    Key typeThe key type is set to RSA.
    Key sizeSelect the key size from the dropdown menu: 1024, 2048 (set by default), or 4096 bits.
    Hash algorithm Select the hash algorithm from the dropdown menu, either SHA-256 (set by default) or SHA-1.
    Subject Alternative Name

    SANs allow you to protect multiple host names with a single SSL certificate. SAN is part of the X.509 certificate standard.

    This section is not available when the certificate type is Intermediate CA certificate signing request (CSR).

    EmailEnter the email address of a user to map to this certificate.
    User Principal Name (UPN)Enter the UPN used to find the user’s account in Microsoft Active Directory. This will map the certificate to this specific user. The UPN is unique for the Windows Server domain. This is a form of one-to-one mapping.
    Advanced Options: Key Usages

    Some certificates require the explicit presence of extended key usage attributes before the certificate can be accepted for use.

    For detailed information about these attributes, see End entities.

    Key Usages
    • Digital Signature
    • Non Repudiation
    • Key Encipherment
    • Data Encipherment
    • Key Agreement
    • Certificate Sign
    • CRL Sign
    • Encipher Only
    • Decipher Only
    Extended Key Usages
    • Server Authentication
    • Client Authentication
    • Code Signing
    • Secure Email
    • OCSP Signing
    • IPSec End System
    • IPSec Tunnel Termination
    • IPSec User
    • IPSec IKE Intermediate (end entity)
    • Time Stamping
    • Microsoft Individual Code Signing
    • Microsoft Commercial Code Signing
    • Microsoft Trust List Signing
    • Microsoft Server Gated Crypto
    • Netscape Server Gated Crypto
    • Microsoft Encrypted File System
    • Microsoft EFS File Recovery
    • Smart Card Logon
    • EAP over PPP
    • EAP over LAN
    • KDC Authentication

    Other Extensions

    Specify an OCSP and/or CRL distribution URL.

    Other Extensions options are only available for Intermediate CA certificates.

    Add CRL Distribution Points extension

    Select to add a CRL Distribution Points extension to the certificate.

    Once a certificate is issued with this extension, the server must be able to handle the CRL request at the specified location.

    A fully qualified domain name (FQDN) must be configured. The FQDN can be added or configured by clicking Edit device FQDN.

    Add OCSP Responder URL

    Select to add an Online Certificate Status Protocol (OCSP) responder URL to obtain the revocation status of a certificate.

    A fully qualified domain name (FQDN) must be configured. The FQDN can be added or configured by clicking Edit device FQDN.

    Certificate Revocation List (CRL)Determine the certificate's lifetime before the CA certificate is revoked.
    LifetimeEnter the lifetime of the certificate in days, between 1-365 (maximum of one year). The default is 30.
    Re-generate everyEnter how often the certificate will regenerate.
  3. Select OK to create the new CA certificate.

Importing CA certificates and signing requests

Five options are available when importing a certificate or signing request: PKCS12 Certificate, Certificate and Private Key, CSR to sign, Local certificate, and NetHSM certificate.

To import a PKCS12 certificate:
  1. From the local CA certificate list, select Import. The Import Signing Request or Local CA Certificate window opens.
  2. Select PKCS12 Certificate in the type field.
  3. Enter the following:
    Certificate IDEnter a unique ID for the certificate.
    PKCS12 certificate file (.p12)Select Choose File to locate the certificate file on your computer.
    PassphraseEnter the certificate passphrase.
    Initial Serial NumberSelect the serial number radix, either Decimal or Hex, and enter the initial serial number in the Initial serial number field.
  4. Select OK to import the certificate.
To import a certificate with a private key:
  1. From the local CA certificate list, select Import. The Import Signing Request or Local CA Certificate window opens.
  2. Select Certificate and Private Key in the type field.
  3. Enter the following:
    Certificate IDEnter a unique ID for the certificate.
    Certificate file (.cer)Select Choose File to locate the certificate file on your computer.
    Private key fileSelect Choose File to locate the private key file on your computer.
    PassphraseEnter the certificate passphrase.
    Initial Serial NumberSelect the serial number radix, either Decimal or Hex, and enter the initial serial number in the Initial serial number field.
  4. Select OK to import the certificate.
To import a CSR to sign:
  1. From the local CA certificate list, select Import. The Import Signing Request or Local CA Certificate window opens.
  2. Select CSR to sign in the type field.
  3. Enter the following:
    Certificate ID Enter a unique ID for the certificate.
    CSR file (.csr, .req)Select Choose File to locate the CSR file on your computer.
    Certificate Signing Options
    Certificate authoritySelect one of the available CAs from the dropdown menu.
    Validity period

    Select the amount of time before this certificate expires.

    Select Set length of time to enter a specific number of days, or select Set an expiry date and enter the specific date on which the certificate expires.

    Hash algorithmSelect the hash algorithm from the dropdown menu, either SHA-256 or SHA-1.
    Subject Alternative Name

    SANs allow you to protect multiple host names with a single SSL certificate. SAN is part of the X.509 certificate standard.

    EmailEnter the email address of a user to map to this certificate.
    User Principal Name (UPN)Enter the UPN used to find the user’s account in Microsoft Active Directory. This will map the certificate to this specific user. The UPN is unique for the Windows Server domain. This is a form of one-to-one mapping.
    Advanced Options: Key Usages

    Some certificates require the explicit presence of extended key usage attributes before the certificate can be accepted for use.

    For detailed information about these attributes, see End entities.

  4. Select OK to import the CSR.
To import a local CA certificate:
  1. From the local CA certificate list, select Import. The Import Signing Request or Local CA Certificate window opens.
  2. Select Local certificate in the type field.
  3. Select Upload a file to locate the certificate file on your computer.
  4. Select OK to import the local CA certificate.
To import a NetHSM certificate:
  1. From the local CA certificate list, select Import. The Import Signing Request or Local CA Certificate window opens.
  2. Select NetHSM certificate in the type field.
  3. Select Upload a file to locate the certificate file on your computer.
  4. Select the previously configured NetHSM. See NetHSMs.
  5. Select OK to import the local CA certificate.

Local CAs

The FortiAuthenticator device can act as a self-signed, or local, CA.

To view the certificate information, go to Certificate Management > Certificate Authorities > Local CAs.

The following information in shown:

Create New Create a new CA certificate.
Import Import a CA certificate. See Importing CA certificates and signing requests.
Revoke Revoke the selected CA certificate.
Delete Delete the selected CA certificate.
Export Certificate Save the selected CA certificate to your computer.
Export Key and Cert Save the selected intermediate CA certificate and private key to your computer.
Search Enter a search term in the search field, then press Enter to search the CA certificate list. The search will return certificates that match either the subject or issuer.
Filter Select to filter the displayed CAs by status. The available selections are: All, Pending, Expired, Revoked, and Active.
Certificate ID The CA certificate ID.
Subject The CA certificate subject.
Issuer The issuer of the CA certificate.
Status The status of the CA certificate.
CA Type The CA type of the CA certificate.
To create a CA certificate:
  1. From the local CA certificate list, select Create New. The Create New Local CA Certificate window opens.
  2. Enter the following information:
    Certificate IDEnter a unique ID for the CA certificate.
    Certificate Authority Type
    Certificate type

    Select one of the following options:

    • Root CA certificate: A self-signed CA certificate.
    • Intermediate CA certificate: A CA certificate that refers to a different root CA as the authority.
    • Intermediate CA certificate signing request (CSR)
    Certificate authority

    Select one of the available CAs from the dropdown menu.

    This field is only available when the certificate type is Intermediate CA certificate.

    Use netHSM

    Select one of the available NetHSMs from the dropdown menu. See NetHSMs.

    This field is only available when the certificate type is Root CA.

    Subject Information
    Subject input methodSelect the subject input method, either Fully distinguished name or Field-by-field.
    Subject DN

    If the subject input method is Fully distinguished name, enter the full distinguished name of the subject. There should be no spaces between attributes.

    Valid DN attributes are DC, C, ST, L, O, OU, CN, and emailAddress. They are case-sensitive.

    Name (CN)

    If the subject input method is Field-by-field, enter the subject name in the Name (CN) field, and optionally enter the following fields:

    • Department (OU)
    • Company (O)
    • City (L)
    • State/Province (ST)
    • Country (C) (select from dropdown menu)
    • Email address
    Key and Signing Options
    Validity period

    Select the amount of time before this certificate expires.

    Select Set length of time to enter a specific number of days, or select Set an expiry date and enter the specific date on which the certificate expires.

    This option is not available when the certificate type is set to Intermediate CA certificate signing request (CSR).

    Key typeThe key type is set to RSA.
    Key sizeSelect the key size from the dropdown menu: 1024, 2048 (set by default), or 4096 bits.
    Hash algorithm Select the hash algorithm from the dropdown menu, either SHA-256 (set by default) or SHA-1.
    Subject Alternative Name

    SANs allow you to protect multiple host names with a single SSL certificate. SAN is part of the X.509 certificate standard.

    This section is not available when the certificate type is Intermediate CA certificate signing request (CSR).

    EmailEnter the email address of a user to map to this certificate.
    User Principal Name (UPN)Enter the UPN used to find the user’s account in Microsoft Active Directory. This will map the certificate to this specific user. The UPN is unique for the Windows Server domain. This is a form of one-to-one mapping.
    Advanced Options: Key Usages

    Some certificates require the explicit presence of extended key usage attributes before the certificate can be accepted for use.

    For detailed information about these attributes, see End entities.

    Key Usages
    • Digital Signature
    • Non Repudiation
    • Key Encipherment
    • Data Encipherment
    • Key Agreement
    • Certificate Sign
    • CRL Sign
    • Encipher Only
    • Decipher Only
    Extended Key Usages
    • Server Authentication
    • Client Authentication
    • Code Signing
    • Secure Email
    • OCSP Signing
    • IPSec End System
    • IPSec Tunnel Termination
    • IPSec User
    • IPSec IKE Intermediate (end entity)
    • Time Stamping
    • Microsoft Individual Code Signing
    • Microsoft Commercial Code Signing
    • Microsoft Trust List Signing
    • Microsoft Server Gated Crypto
    • Netscape Server Gated Crypto
    • Microsoft Encrypted File System
    • Microsoft EFS File Recovery
    • Smart Card Logon
    • EAP over PPP
    • EAP over LAN
    • KDC Authentication

    Other Extensions

    Specify an OCSP and/or CRL distribution URL.

    Other Extensions options are only available for Intermediate CA certificates.

    Add CRL Distribution Points extension

    Select to add a CRL Distribution Points extension to the certificate.

    Once a certificate is issued with this extension, the server must be able to handle the CRL request at the specified location.

    A fully qualified domain name (FQDN) must be configured. The FQDN can be added or configured by clicking Edit device FQDN.

    Add OCSP Responder URL

    Select to add an Online Certificate Status Protocol (OCSP) responder URL to obtain the revocation status of a certificate.

    A fully qualified domain name (FQDN) must be configured. The FQDN can be added or configured by clicking Edit device FQDN.

    Certificate Revocation List (CRL)Determine the certificate's lifetime before the CA certificate is revoked.
    LifetimeEnter the lifetime of the certificate in days, between 1-365 (maximum of one year). The default is 30.
    Re-generate everyEnter how often the certificate will regenerate.
  3. Select OK to create the new CA certificate.

Importing CA certificates and signing requests

Five options are available when importing a certificate or signing request: PKCS12 Certificate, Certificate and Private Key, CSR to sign, Local certificate, and NetHSM certificate.

To import a PKCS12 certificate:
  1. From the local CA certificate list, select Import. The Import Signing Request or Local CA Certificate window opens.
  2. Select PKCS12 Certificate in the type field.
  3. Enter the following:
    Certificate IDEnter a unique ID for the certificate.
    PKCS12 certificate file (.p12)Select Choose File to locate the certificate file on your computer.
    PassphraseEnter the certificate passphrase.
    Initial Serial NumberSelect the serial number radix, either Decimal or Hex, and enter the initial serial number in the Initial serial number field.
  4. Select OK to import the certificate.
To import a certificate with a private key:
  1. From the local CA certificate list, select Import. The Import Signing Request or Local CA Certificate window opens.
  2. Select Certificate and Private Key in the type field.
  3. Enter the following:
    Certificate IDEnter a unique ID for the certificate.
    Certificate file (.cer)Select Choose File to locate the certificate file on your computer.
    Private key fileSelect Choose File to locate the private key file on your computer.
    PassphraseEnter the certificate passphrase.
    Initial Serial NumberSelect the serial number radix, either Decimal or Hex, and enter the initial serial number in the Initial serial number field.
  4. Select OK to import the certificate.
To import a CSR to sign:
  1. From the local CA certificate list, select Import. The Import Signing Request or Local CA Certificate window opens.
  2. Select CSR to sign in the type field.
  3. Enter the following:
    Certificate ID Enter a unique ID for the certificate.
    CSR file (.csr, .req)Select Choose File to locate the CSR file on your computer.
    Certificate Signing Options
    Certificate authoritySelect one of the available CAs from the dropdown menu.
    Validity period

    Select the amount of time before this certificate expires.

    Select Set length of time to enter a specific number of days, or select Set an expiry date and enter the specific date on which the certificate expires.

    Hash algorithmSelect the hash algorithm from the dropdown menu, either SHA-256 or SHA-1.
    Subject Alternative Name

    SANs allow you to protect multiple host names with a single SSL certificate. SAN is part of the X.509 certificate standard.

    EmailEnter the email address of a user to map to this certificate.
    User Principal Name (UPN)Enter the UPN used to find the user’s account in Microsoft Active Directory. This will map the certificate to this specific user. The UPN is unique for the Windows Server domain. This is a form of one-to-one mapping.
    Advanced Options: Key Usages

    Some certificates require the explicit presence of extended key usage attributes before the certificate can be accepted for use.

    For detailed information about these attributes, see End entities.

  4. Select OK to import the CSR.
To import a local CA certificate:
  1. From the local CA certificate list, select Import. The Import Signing Request or Local CA Certificate window opens.
  2. Select Local certificate in the type field.
  3. Select Upload a file to locate the certificate file on your computer.
  4. Select OK to import the local CA certificate.
To import a NetHSM certificate:
  1. From the local CA certificate list, select Import. The Import Signing Request or Local CA Certificate window opens.
  2. Select NetHSM certificate in the type field.
  3. Select Upload a file to locate the certificate file on your computer.
  4. Select the previously configured NetHSM. See NetHSMs.
  5. Select OK to import the local CA certificate.