Fortinet black logo

Handbook

Certificate-based authentication

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:943479
Download PDF

Certificate-based authentication

This section provides an overview of how the FortiGate unit verifies the identities of administrators, SSL VPN users, or IPsec VPN peers using X.509 security certificates.

The following topics are included in this section:

What is a security certificate?

A security certificate is a small text file that is part of a third-party generated public key infrastructure (PKI) to help guarantee the identity of both the user logging on and the web site they where they are logging in.

A certificate includes identifying information such as the company and location information for the web site, as well as the third-party company name, the expiry date of the certificate, and the public key.

FortiGate units use X.509 certificates to authenticate single sign-on (SSO) for users. The X.509 standard has been in use since before 2000, but has gained popularity with the Internet’s increased popularity. X.509 v3 is defined in RFC 5280 and specifies standard formats for public key certificates, certificate revocation lists, and a certification path validation algorithm. The unused earlier X.509 version 1 was defined in RFC 1422.

The main difference between X.509 and PGP certificates is that where in PGP anyone can sign a certificate, for X.509 only a trusted authority can sign certificates. This limits the source of certificates to well known and trustworthy sources. Where PGP is well suited for one-to-one communications, the X.509 infrastructure is intended to be used in many different situations including one-to-many communications. Some common filename extensions for X.509 certificates are listed below.

Common certificate filename extensions
Filetype Format name Description
.pem Privacy Enhanced Mail (PEM)

Base64 encoded DER certificate, that uses:

“-----BEGIN CERTIFICATE-----” and

“-----END CERTIFICATE-----”

.cer

.crt

.der

Security Certificate Usually binary DER form, but Base64-encoded certificates are common too.

.p7b

.p7c

Structure without data, just certificates or CRLs.

PKCS#7 is a standard for signing or encrypting (officially called “enveloping”) data.

.p12 PKCS#12 May contain certificate(s) (public) and private keys (password protected).
.pfx personal information exchange (PFX) Older format. Came before PKCS#12. Usually today data is in PKCS#12 format.

Certificates overview

Certificates play a major role in authentication of clients connecting to network services via HTTPS, both for administrators and SSL VPN users. Certificate authentication is optional for IPsec VPN peers.

This section includes:

note icon

Public CA certificates found on the FortiGate are provided through firmware upgrades and installations.

Certificates and protocols

There are a number of protocols that are commonly used with certificates including SSL and HTTPS, and other certificate-related protocols.

SSL and HTTPS

The secure HTTP (HTTPS) protocol uses SSL. Certificates are an integral part of SSL. When a web browser connects to the FortiGate unit via HTTPS, a certificate is used to verify the FortiGate unit’s identity to the client. Optionally, the FortiGate unit can require the client to authenticate itself in return.

By default, the FortiGate unit uses a self-signed security certificate to authenticate itself to HTTPS clients. When the certificate is offered, the client browser displays two security messages.

  • The first message prompts users to accept and optionally install the FortiGate unit’s self-signed security certificate. If the user does not accept the certificate, the FortiGate unit refuses the connection. When the user accepts the certificate, the FortiGate login page is displayed, and the credentials entered by the user are encrypted before they are sent to the FortiGate unit. If the user chooses to install the certificate, the prompt is not displayed again.
  • Just before the FortiGate login page is displayed, a second message informs users that the FortiGate certificate distinguished name differs from the original request. This message is displayed because the FortiGate unit redirects the connection (away from the distinguished name recorded in the self-signed certificate) and can be ignored.

Optionally, you can install an X.509 server certificate issued by a certificate authority (CA) on the FortiGate unit. You can then configure the FortiGate unit to identify itself using the server certificate instead of the self-signed certificate.

For more information, see the FortiOS Handbook SSL VPN guide.

After successful certificate authentication, communication between the client browser and the FortiGate unit is encrypted using SSL over the HTTPS link.

Certificate-related protocols

There are multiple protocols that are required for handling certificates. These include the Online Certificate Status Protocol (OCSP), Simple Certificate Enrollment Protocol (SCEP), Server-based Certificate Validation Protocol (SCVP), and Certificate Management Protocol (CMP).

Online Certificate Status Protocol

Online Certificate Status Protocol (OCSP) allows the verification of X.509 certificate expiration dates. This is important to prevent hackers from changing the expiry date on an old certificate to a future date.

Normally certificate revocation lists (CRLs) are used, but OCSP is an alternate method available. However a CRL is a public list, and some companies may want to avoid the public exposure of their certificate structure even if it is only invalid certificates.

The OSCP check on the certificate’s revocation status is typically carried out over HTTP with a request-response format. The authority responding can reply with a status of good, revoked, or unknown for the certificate in question.

Simple Certificate Enrollment Protocol

Simple Certificate Enrollment Protocol (SCEP) is an automated method of signing up for certificates. Typically this involves generating a request you send directly to the SCEP service, instead of generating a file request that may or may not be signed locally.

Server-based Certificate Validation Protocol

Server-based Certificate Validation Protocol (SCVP) is used to trace a certificate back to a valid root level certificate. This ensures that each step along the path is valid and trustworthy.

Certificate Management Protocol version 2

Certificate Management Protocol version 2 (CMPv2) is an enrollment and revocation protocol for certificates.

IPsec VPNs and certificates

Certificate authentication is a more secure alternative to pre-shared key (shared secret) authentication for IPsec VPN peers. Unlike administrators or SSL VPN users, IPsec peers use HTTP to connect to the VPN gateway configured on the FortiGate unit. The VPN gateway configuration can require certificate authentication before it permits an IPsec tunnel to be established. See Authenticating IPsec VPN users with security certificates .

Certificate types on the FortiGate unit

There are different types of certificates available that vary depending on their intended use. FortiOS supports local, remote, CA, and CRL certificates.

Local certificates

Local certificates are issued for a specific server, or web site. Generally they are very specific, and often for an internal enterprise network. For example a personal web site for John Smith at www.example.com (such as http://www.example.com/home/jsmith) would have its own local certificate.

These can optionally be just the certificate file, or also include a private key file and PEM passphrase for added security.

For information about generating a certificate request, see Generating a certificate signing request. For information about installing a local certificate, see Obtaining and installing a signed server certificate from an external CA

Remote certificates

Remote certificates are public certificates without a private key. For dynamic certificate revocation, you need to use an Online Certificate Status Protocol (OCSP) server. The OCSP is configured in the CLI only. Installed Remote (OCSP) certificates are displayed in the Remote Certificates list. You can select Import to install a certificate from the management PC.

CA root certificates

CA root certificates are similar to local certificates, however they apply to a broader range of addresses or to whole company; they are one step higher up in the organizational chain. Using the local certificate example, a CA root certificate would be issued for all of www.example.com instead of just the smaller single web page.

Certificate revocation list

Certificate revocation list (CRL) is a list of certificates that have been revoked and are no longer usable. This list includes certificates that have expired, been stolen, or otherwise compromised. If your certificate is on this list, it will not be accepted. CRLs are maintained by the CA that issues the certificates and includes the date and time when the next CRL will be issued as well as a sequence number to help ensure you have the most current version of the CRL.

Certificate signing

The trust in a certificate comes from the authority that signs it. For example if VeriSign signs your CA root certificate, it is trusted by everyone. While these certificates are universally accepted, it is cumbersome and expensive to have all certificates on a corporate network signed with this level of trust.

With self-signed certificates nobody, except the other end of your communication, knows who you are and therefore they do not trust you as an authority. However this level is useful for encryption between two points — neither point may care about who signed the certificate, just that it allows both points to communicate. This is very useful for internal networks and communications.

A general rule is that CA signed certificates are accepted and sometimes required, but it is easier to self-sign certificates when you are able.

For more on the methods of certificate signing see Generating a certificate signing request.

BIOS certificate compatibility

FortiOS supports backwards compatibility between BIOS version 4 and BIOS version 3.

BIOS V4 certificates:
  • Fortinet_CA
  • Fortinet_Sub_CA
  • Fortinet_Factory
BIOS V3 certificates:
  • Fortinet_CA_Backup
  • Fortinet_Factory_Backup

When FortiOS connects to FortiGuard, FortiCloud, FortiManager, FortiAnalyzer, FortiSandbox as a client, the BIOS certificate Fortinet_Factory will be the default client certificate. When the server returns its certificate (chain) back, FortiOS looks up the issuer of the server certificate and either keeps client certificate as is or switches to the BIOS certificate Fortinet_Factory_Backup. This process occurs in one handshake.

When FortiOS connects to FortiCare, the BIOS certificate Fortinet_Factory is the only client certificate and Server Name Indication (SNI) is set. There is no switchover of certificate during SSL handshake.

When FortiOS acts as a server when connected by FortiExtender, FortiSwitch, FortiAP, etc., Fortinet_Factory is the default server certificate. FortiOS detects SNI in client hello, and if no SNI is found or if the CN in SNI is different from the CN of Fortinet_CA, it switches to use the Fortinet_Factory_Backup.

Managing X.509 certificates

Managing security certificates is required due to the number of steps involved in both having a certificate request signed, and then distributing the correct files for use.

You use the FortiGate unit or CA software such as OpenSSL to generate a certificate request. That request is a text file that you send to the CA for verification, or alternately you use CA software to self-validate. Once validated, the certificate file is generated and must be imported to the FortiGate unit before it can be used. These steps are explained in more detail later in this section.

This section provides procedures for generating certificate requests, installing signed server certificates, and importing CA root certificates and CRLs to the FortiGate unit.

For information about how to install root certificates, CRLs, and personal or group certificates on a remote client browser, refer to your browser’s documentation.

note icon

As a requirement of Network Device Collaborative Protection Profile (NDcPP), FortiOS supports and handles the use of wildcards for the following certificate reference parameters:

  • Subject Alternative Name (SAN)
  • Common Name (CN)

This section includes:

Generating a certificate signing request

Whether you create certificates locally with a software application or obtain them from an external certificate service, you will need to generate a certificate signing request (CSR).

When you generate a CSR, a private and public key pair is created for the FortiGate unit. The generated request includes the public key of the FortiGate unit and information such as the FortiGate unit’s public static IP address, domain name, or email address. The FortiGate unit’s private key remains confidential on the FortiGate unit.

After you submit the request to a CA, the CA will verify the information and register the contact information on a digital certificate that contains a serial number, an expiration date, and the public key of the CA. The CA will then sign the certificate, and you install the certificate on the FortiGate unit.

The Certificate Request Standard is a public key cryptography standard (PKCS) published by RSA, specifically PKCS10 which defines the format for CSRs. This is defined in RFC 2986.

To generate a certificate request in FortiOS - GUI:
  1. Go to System > Certificates.
  2. Select Generate.
  3. In the Certificate Name field, enter a unique meaningful name for the certificate request. Typically, this would be the hostname or serial number of the FortiGate unit or the domain of the FortiGate unit such as example.com.
  4. note icon Do not include spaces in the certificate name. This will ensure compatibility of a signed certificate as a PKCS12 file to be exported later on if required.
    note icon

    Prior to FortiOS 5.4, passwords for local certificates that were generated via either SCEP or CLI could not have their passwords reset. Passwords can be set in the CLI using the following command:

    config vpn certificate local

    edit <name>

    set password <password>

    next

    end

  5. Enter values in the Subject Information area to identify the FortiGate unit:
    • If the FortiGate unit has a static IP address, select Host IPand enter the public IP address of the FortiGate unit. If the FortiGate unit does not have a public IP address, use an email address (or fully qualified domain name (FQDN) if available) instead.
    • If the FortiGate unit has a dynamic IP address and subscribes to a dynamic DNS service, use a FQDN if available to identify the FortiGate unit. If you select Domain Name, enter the FQDN of the FortiGate unit. Do not include the protocol specification (http://) or any port number or path names.
    note iconIf a domain name is not available and the FortiGate unit subscribes to a dynamic DNS service, an “unable to verify certificate” type message may be displayed in the user’s browser whenever the public IP address of the FortiGate unit changes.
    • If you select E-Mail, enter the email address of the owner of the FortiGate unit.
  6. Enter values in the Optional Information area to further identify the FortiGate unit.
  7. Organization Unit Name of your department. You can enter a series of OUs up to a maximum of 5. To add or remove an OU, use the plus (+) or minus (-) icon.
    Organization Legal name of your company or organization.
    Locality (City) Name of the city or town where the FortiGate unit is installed.
    State/Province Name of the state or province where the FortiGate unit is installed.
    Country Select the country where the FortiGate unit is installed.
    e-mail Contact email address.
    Subject Alternative Name

    Optionally, enter one or more alternative names for which the certificate is also valid. Separate names with a comma. A name can be:

    • e-mail address
    • IP address
    • URI
    • DNS name (alternatives to the Common Name)
    • directory name (alternatives to the Distinguished Name)

    You must precede the name with the name type. Examples:

    IP:1.1.1.1

    email:test@fortinet.com

    email:my@other.address

    URI:http://my.url.here/

    Password for private key Option to export local certificate and its private key in password protected p12.
  8. From the Key Type list, select RSA or Elliptic Curve.
  9. From the Key Size list, select 1024 Bit, 1536 Bit, 2048 Bit, 4096 Bit or secp256r1, secp384r1, secp521r1 respectively. Larger keys are slower to generate but more secure.
  10. In Enrollment Method, you have two methods to choose from. Select File Based to generate the certificate request, or Online SCEP to obtain a signed SCEP-based certificate automatically over the network. For the SCEP method, enter the URL of the SCEP server from which to retrieve the CA certificate, and the CA server challenge password.
  11. Select OK.
  12. The request is generated and displayed in the Local Certificates list with a status of PENDING.
  13. Select the Download button to download the request to the management computer.
  14. In the File Download dialog box, select Save and save the Certificate Signing Request on the local file system of the management computer.
  15. Name the file and save it on the local file system of the management computer.

The certificate request is ready for the certificate authority to be signed.

Generating certificates with CA software

CA software allows you to generate unmanaged certificates and CA certificates for managing other certificates locally without using an external CA service. Examples of CA software include ssl-ca from OpenSSL (available for Linux, Windows, and Mac) or gensslcert from SuSE, MS Windows Server 2000 and 2003 come with a CA as part of their certificate services, and in MS Windows 2008 CA software can be installed as part of the Active Directory installation. See Example — Generate and Import CA certificate with private key pair on OpenSSL.

The general steps for generating certificates with CA software are

  1. Install the CA software as a stand-alone root CA.
  2. Provide identifying information for your self-administered CA.

While following these steps, the methods vary slightly when generating server certificates, CA certificates, and PKI certificates.

Server certificate

  1. Generate a Certificate Signing Request (CSR) on the FortiGate unit.
  2. Copy the CSR base-64 encoded text (PKCS10 or PKCS7) into the CA software and generate the certificate.
    PKCS10 is the format used to send the certificate request to the signing authority. PKCS7 is the format the signing authority can use for the newly signed certificate.
  3. Export the certificate as a X.509 DER encoded binary file with .CER extension
  4. Upload the certificate file to the FortiGate unit Local Certificates page (type is Certificate).

CA certificate

  1. Retrieve the CA Certificate from the CA software as a DER encoded file.
  2. Import the CA certificate file to the FortiGate unit at System > Certificates and select Import > Certificates.

PKI certificate

  1. Generate a Certificate Signing Request (CSR) on the FortiGate unit.
  2. Copy the CSR base-64 encoded text (PKCS#10 or PKCS#7) into the CA software and generate the certificate.
    PKCS10 is the format used to send the certificate request to the signing authority. PKCS7 is the format the signing authority can use for the newly signed certificate.
  3. Export the certificate as a X.509 DER encoded binary file with .CER extension.
  4. Install the certificate in the user’s web browser or IPsec VPN client as needed.

Obtaining and installing a signed server certificate from an external CA

To obtain a signed server certificate for a FortiGate unit, you must send a request to a CA that provides digital certificates that adhere to the X.509 standard. The FortiGate unit provides a way for you to generate the request.

To submit the certificate signing request (file-based enrollment):
  1. Using the web browser on the management computer, browse to the CA web site.
  2. Follow the CA instructions for a base-64 encoded PKCS#10 certificate request and upload your certificate request.
  3. Follow the CA instructions to download their root certificate and CRL.
    When you receive the signed server certificate from the CA, install the certificate on the FortiGate unit.
To install or import the signed server certificate - GUI
  1. On the FortiGate unit, go to System > Certificates and select Import > Local Certificates.
  2. From Type, select Local Certificate.
  3. Select Browse, browse to the location on the management computer where the certificate was saved, select the certificate, and then select Open.
  4. Select OK, and then select Return.

Installing a CA root certificate and CRL to authenticate remote clients

When you apply for a signed personal or group certificate to install on remote clients, you can obtain the corresponding root certificate and CRL from the issuing CA. When you receive the signed personal or group certificate, install the signed certificate on the remote client(s) according to the browser documentation. Install the corresponding root certificate (and CRL) from the issuing CA on the FortiGate unit according to the procedures given below.

To install a CA root certificate
  1. After you download the root certificate of the CA, save the certificate on the management computer. Or, you can use online SCEP to retrieve the certificate.
  2. On the FortiGate unit, go to System > Certificates and select Import > CA Certificates.
  3. Do one of the following:
    • To import using SCEP, select SCEP. Enter the URL of the SCEP server from which to retrieve the CA certificate. Optionally, enter identifying information of the CA, such as the filename.
    • To import from a file, select Local PC, then select Browse and find the location on the management computer where the certificate has been saved. Select the certificate, and then select Open.
  4. Select OK, and then select Return.

The system assigns a unique name to each CA certificate. The names are numbered consecutively (CA_Cert_1, CA_Cert_2, CA_Cert_3, and so on).

To import a certificate revocation list

A Certificate Revocation List (CRL) is a list of the CA certificate subscribers paired with certificate status information. The list contains the revoked certificates and the reason(s) for revocation. It also records the certificate issue dates and the CAs that issued them.

When configured to support SSL VPNs, the FortiGate unit uses the CRL to ensure that the certificates belonging to the CA and remote peers or clients are valid. The CRL has an “effective date” and a “next update” date. The interval is typically 7 days (for Microsoft CA). FortiOS will update the CRL automatically. Also, there is a CLI command to specify an “update-interval” in seconds. Recommendation should be 24 hours (86400 seconds) but depends on company security policy.

  1. After you download the CRL from the CA web site, save the CRL on the management computer.
  2. Go to System > Certificates and select Import > CRL.
  3. Do one of the following:
    • To import using an HTTP server, select HTTP and enter the URL of the HTTP server.
    • To import using an LDAP server see this KB article.
    • To import using an SCEP server, select SCEP and select the Local Certificate from the list. Enter the URL of the SCEP server from which the CRL can be retrieved.
    • To import from a file, select Local PC, then select Browse and find the location on the management computer where the CRL has been saved. Select the CRL and then select Open.
  4. Select OK, and then select Return.
To import a PKCS12 certificate from the CLI

The following CLI syntax can be entered to import a local certificate file:

execute vpn certificate local import tftp <file name> <tftp ip address> <file type> <Enter for 'cer'>|<password for 'p12'>

For example:

execute vpn certificate local import tftp FGTF-extern.p12 10.1.100.253 p12 123456

In addition, the following CLI syntax can be entered to update certificate bundles from an FTP or TFTP server:

execute vpn certificate ca import bundle <file-name.pkg> <ftp/tftp-server-ip>

ExtendedKeyUsage for x.509 certificates

As per Network Device Collaborative Protection Profile (NDcPP) v1.0 requirements, server certificates used for TLS connections between FortiGate and FortiAnalyzer have the "Server Authentication" and "Client Authentication" extendedKeyUsage fields in FIPS/CC mode.

The following CLI command is available under log fortianalyzer setting to allow you to specify the certificate used to communicate with FortiAnalyzer.

CLI syntax

config log fortianalyzer setting

set certificate <name>

end

Troubleshooting certificates

There are times when there are problems with certificates — a certificate is seen as expired when its not, or it can’t be found. Often the problem is with a third party web site, and not FortiOS. However, some problems can be traced back to FortiOS such as DNS or routing issues.

Enable and disable SHA1 algorithm in SSH key exchanges

In order to investigate your security and conduct compliance testing, a global option allows you to enable/disable SHA1 algorithm in SSH key exchange. Note that, the algorithm is enabled by default.

Syntax

config system global

set ssh-key-sha1 {enable | disable}

end

Certificate incorrectly reported as expired

Certificates often are issued for a set period of time such as a day or a month, depending on their intended use. This ensures everyone is using up-to-date certificates. It is also more difficult for hackers to steal and use old certificates.

Reasons a certificate may be reported as expired include:

  • It really has expired based on the “best before” date in the certificate
  • The FortiGate unit clock is not properly set. If the FortiGate clock is fast, it will see a certificate as expired before the expiry date is really here.
  • The requesting server clock is not properly set. A valid example is if your certificate is 2 hours from expiring, a server more than two time zones away would see the certificate as expired. Otherwise, if the server’s clock is set wrongly it will also have the same effect.
  • The certificate was revoked by the issuer before the expiry date. This may happen if the issuer believes a certificate was either stolen or misused. Its possible it is due to reasons on the issuer’s side, such as a system change or such. In either case it is best to contact the certificate issuer to determine what is happening and why.

A secure connection cannot be completed (certificate cannot be found)

Everyone who uses a browser has encountered a message such as This connection is untrusted. Normally when you try to connect securely to a web site, that web site will present its valid certificate to prove their identity is valid. When the web site's certificate cannot be verified as valid, the message appears stating This connection is untrusted or something similar. If you usually connect to this web site without problems, this error could mean that someone is trying to impersonate or hijack the web site, and best practices dictates you not continue.

Reasons a web site’s certificate cannot be validated include:

  • The web site uses an unrecognized self-signed certificate. These are not secure because anyone can sign them. If you accept self-signed certificates you do so at your own risk. Best practices dictate that you must confirm the ID of the web site using some other method before you accept the certificate.
  • The certificate is valid for a different domain. A certificate is valid for a specific location, domain, or sub-section of a domain such as one certificate for support.example.com that is not valid for marketing.example.com. If you encounter this problem, contact the webmaster for the web site to inform them of the problem.
  • There is a DNS or routing problem. If the web site’s certificate cannot be verified, it will not be accepted. Generally to be verified, your system checks with the third party certificate signing authority to verify the certificate is valid. If you cannot reach that third party due to some DNS or routing error, the certificate will not be verified.
  • Firewall is blocking required ports. Ensure that any firewalls between the requesting computer and the web site allow the secure traffic through the firewall. Otherwise a hole must be opened to allow it through. This includes ports such as 443 (HTTPS) and 22 (SSH).

Online updates to certificates and CRLs

If you obtained your local or CA certificate using SCEP, you can configure online renewal of the certificate before it expires. Similarly, you can receive online updates to CRLs.

Local certificates

In the config vpn certificate local command, you can specify automatic certificate renewal. The relevant fields are:

scep-url <URL_str> The URL of the SCEP server. This can be HTTP or HTTPS. The following options appear after you add the <URL_str>.
scep-password <password_str> The password for the SCEP server.
auto-regenerate-days <days_int> How many days before expiry the FortiGate unit requests an updated local certificate. The default is 0, no auto-update.
auto-regenerate-days-warning <days_int> How many days before local certificate expiry the FortiGate generates a warning message. The default is 0, no warning.

In this example, an updated certificate is requested three days before it expires.

config vpn certificate local

edit mycert

set scep-url http://scep.example.com/scep

set scep-server-password my_pass_123

set auto-regenerate-days 3

set auto-regenerate-days-warning 2

end

CA certificates

In the config vpn certificate ca command, you can specify automatic certificate renewal. The relevant fields are:

Variable Description
scep-url <URL_str> The URL of the SCEP server. This can be HTTP or HTTPS.
auto-update-days <days_int> How many days before expiry the FortiGate unit requests an updated CA certificate. The default is 0, no auto-update.
auto-update-days-warning <days_int> How many days before CA certificate expiry the FortiGate generates a warning message. The default is 0,no warning.

In this example, an updated certificate is requested three days before it expires.

config vpn certificate ca

edit mycert

set scep-url http://scep.example.com/scep

set auto-update-days 3

set auto-update-days-warning 2

end

Certificate revocation lists

If you obtained your CRL using SCEP, you can configure online updates to the CRL using the config vpn certificate crl command. The relevant fields are:

Variable Description
http-url <http_url> URL of the server used for automatic CRL certificate updates. This can be HTTP or HTTPS.
scep-cert <scep_certificate> Local certificate used for SCEP communication for CRL auto-update.
scep-url <scep_url> URL of the SCEP CA server used for automatic CRL certificate updates. This can be HTTP or HTTPS.
update-interval <seconds> How frequently, in seconds, the FortiGate unit checks for an updated CRL. Enter 0 to update the CRL only when it expires. Not available for http URLs.
update-vdom <update_vdom> VDOM used to communicate with remote SCEP server for CRL auto-update.

In this example, an updated CRL is requested only when it expires.

config vpn certificate crl

edit cert_crl

set http-url http://scep.example.com/scep

set scep-cert my-scep-cert

set scep-url http://scep.ca.example.com/scep

set update-interval 0

set update-vdom root

end

Backing up and restoring local certificates

The FortiGate unit provides a way to export and import a server certificate and the FortiGate unit’s personal key through the CLI. If required (to restore the FortiGate unit configuration), you can import the exported file through the System > Certificates page of the GUI.

note icon As an alternative, you can back up and restore the entire FortiGate configuration through the System Information widget on the Dashboard of the GUI. Look for [Backup] and [Restore] in the System Configuration row. The backup file is created in a FortiGate-proprietary format.
To export a server certificate and private key - CLI:

This procedure exports a server (local) certificate and private key together as a password protected PKCS12 file. The export file is created through a customer-supplied TFTP server. Ensure that your TFTP server is running and accessible to the FortiGate unit before you enter the command.

  1. Connect to the FortiGate unit through the CLI.
  2. Type the following command:

    execute vpn certificate local export tftp <cert_name> <exp_filename> <tftp_ip> <password>

    where:

    • <cert_name> is the name of the server certificate; typing ? displays a list of installed server certificates.
    • <exp_filename> is a name for the output file.
    • <tftp_ip> is the IP address assigned to the TFTP server host interface.
  3. Move the output file from the TFTP server location to the management computer for future reference.
To import a server certificate and private key - GUI:
  1. Go to System > Certificates and select Import.
  2. In Type, select PKCS12 Certificate.
  3. Select Browse. Browse to the location on the management computer where the exported file has been saved, select the file, and then select Open.
  4. In the Password field, type the password needed to upload the exported file.
  5. Select OK, and then select Return.
To import a server certificate and private key - CLI:
  1. Connect to the FortiGate unit through the CLI.
  2. Type the following command:
  3. execute vpn certificate local import tftp <file_name> <tftp_ip_address> <file_type> <Enter for 'cer'>|<password for 'p12'>

    For example:

    execute vpn certificate local import tftp FGTF-extern.p12 10.1.100.253 p12 123456

To import separate server certificate and private key files - GUI

Use the following procedure to import a server certificate and the associated private key file when the server certificate request and private key were not generated by the FortiGate unit. The two files to import must be available on the management computer.

  1. Go to System > Certificates and select Import.
  2. In Type, select Certificate.
  3. Select the Browse button beside the Certificate file field. Browse to the location on the management computer where the certificate file has been saved, select the file, and then select Open.
  4. Select the Browse button beside the Key file field. Browse to the location on the management computer where the key file has been saved, select the file, and then select Open.
  5. If required, in the Password field, type the associated password, and then select OK.
  6. Select Return.

Configuring certificate-based authentication

You can configure certificate-based authentication for FortiGate administrators, SSL VPN users, and IPsec VPN users.

In Microsoft Windows 7, you can use the certificate manager to keep track of all the different certificates on your local computer. To access certificate manager, in Windows 7 press the Windows key, enter “certmgr.msc” at the search prompt, and select the displayed match. Remember that in addition to these system certificates, many applications require you to register certificates with them directly.

To see FortiClient certificates, open the FortiClient Console, and select VPN. The VPN menu has options for My Certificates (local or client) and CA Certificates (root or intermediary certificate authorities). Use Import on those screens to import certificate files from other sources.

Authenticating administrators with security certificates

You can install a certificate on the management computer to support strong authentication for administrators.

To enable strong administrative authentication:

  • Obtain a signed personal certificate for the administrator from a CA and load the signed personal certificate into the web browser on the management computer according to the browser documentation.
  • Install the root certificate and the CRL from the issuing CA on the FortiGate unit (see Installing a CA root certificate and CRL to authenticate remote clients ).
  • Create a PKI user account for the administrator.
  • Add the PKI user account to a firewall user group dedicated to PKI-authenticated administrators.
  • In the administrator account configuration, select PKI as the account Type and select the User Group to which the administrator belongs.

Support exact match for subject and CN fields in peer user

In order to avoid any unintentional admin access by regular users, administrators can specify which way a peer user authenticates.

When searching for a matching certificate, use the commands below to control how to find matches in the certificate subject name (subject-match) or the cn attribute (cn-match) of the certificate subject name. This match can be any string (substring) or an exact match (value) of the cn attribute value.

To determine certificate subject name matches - CLI:

config vpn certificate setting

edit <name>

set subject-match {substring | value}

set cn-match {substring | value}

next

end

Authenticating SSL VPN users with security certificates

While the default self-signed certificates can be used for HTTPS connections, it is preferable to use the X.509 server certificate to avoid the redirection as it can be misinterpreted as possible session hijacking. However, the server certificate method is more complex than self-signed security certificates. Also the warning message is typically displayed for the initial connection, and future connections will not generate these messages.

X.509 certificates can be used to authenticate IPsec VPN peers or clients, or SSL VPN clients. When configured to authenticate a VPN peer or client, the FortiGate unit prompts the VPN peer or client to authenticate itself using the X.509 certificate. The certificate supplied by the VPN peer or client must be verifiable using the root CA certificate installed on the FortiGate unit in order for a VPN tunnel to be established.

To enable certificate authentication for an SSL VPN user group:
  1. Install a signed server certificate on the FortiGate unit and install the corresponding root certificate (and CRL) from the issuing CA on the remote peer or client.
  2. Obtain a signed group certificate from a CA and load the signed group certificate into the web browser used by each user. Follow the browser documentation to load the certificates.
  3. Install the root certificate and the CRL from the issuing CA on the FortiGate unit (see Installing a CA root certificate and CRL to authenticate remote clients ).
  4. Create a PKI user for each SSL VPN user. For each user, specify the text string that appears in the Subject field of the user’s certificate and then select the corresponding CA certificate.
  5. Use the config user peergrp CLI command to create a peer user group. Add to this group all of the SSL VPN users who are authenticated by certificate.
  6. Go to Policy & Objects > IPv4 Policy.
  7. Edit the SSL-VPN security policy.
  8. Select the user group created earlier in the Source User(s) field.
  9. Select OK.

Authenticating IPsec VPN users with security certificates

To require VPN peers to authenticate by means of a certificate, the FortiGate unit must offer a certificate to authenticate itself to the peer.

To enable the FortiGate unit to authenticate itself with a certificate:
  1. Install a signed server certificate on the FortiGate unit.
    See To install or import the signed server certificate - GUI.
  2. Install the corresponding CA root certificate on the remote peer or client. If the remote peer is a FortiGate unit, see To install a CA root certificate.
  3. Install the certificate revocation list (CRL) from the issuing CA on the remote peer or client. If the remote peer is a FortiGate unit, see To import a certificate revocation list.
  4. In the VPN phase 1 configuration, set Authentication Method to Signature and from the Certificate Name list select the certificate that you installed in Step 1.

To authenticate a VPN peer using a certificate, you must install a signed server certificate on the peer. Then, on the FortiGate unit, the configuration depends on whether there is only one VPN peer or if this is a dialup VPN that can be multiple peers.

To configure certificate authentication of a single peer
  1. Install the CA root certificate and CRL.
  2. Create a PKI user to represent the peer. Specify the text string that appears in the Subject field of the user’s certificate and then select the corresponding CA certificate.
  3. In the VPN phase 1 Peer Options, select peer certificate for Accept Types field and select the PKI user that you created in the Peer certificate field.
To configure certificate authentication of multiple peers (dialup VPN)
  1. Install the corresponding CA root certificate and CRL.
  2. Create a PKI user for each remote VPN peer. For each user, specify the text string that appears in the Subject field of the user’s certificate and then select the corresponding CA certificate.
  3. Use the config user peergrp CLI command to create a peer user group. Add to this group all of the PKI users who will use the IPsec VPN.

In the VPN phase 1 Peer Options, select peer certificate group for Accept Types field and select the PKI user group that you created in the Peer certificate group field.

Support for per-VDOM certificates

The CA and local certificate configuration is available per-VDOM. When an admin uploads a certificate to a VDOM, it will only be accessible inside that VDOM. When an admin uploads a certificate to global, it will be accessible to all VDOMs and global.

There are factory default certificates such as Fortinet_CA_SSL, Fortinet_SSL, Fortinet_Wifi, and Fortinet_Factory. These certificates are moved to per-VDOM and automatically generated when a new VDOM is created.

note icon The Fortinet_Firmware certificate has been removed and all the attributes that use Fortinet_Firmware now use Fortinet_Factory.
CLI changes

Two new attributes range and source have been added:

range can be global or per-VDOM, if the certificate file is imported from global, it is a global certificate. If the certificate file is imported from a VDOM, it is VDOM certificate.

source can be either factory, user, or fortiguard:

  • factory: The factory certificate file with FortiOS version, this includes: Fortinet_CA_SSL, Fortinet_SSL, PositiveSSL_CA, Fortinet_Wifi, Fortinet_Factory.
  • user: Certificate file imported by the user.
  • fortiguard: Certificate file imported from FortiGuard.

config certificate local

edit Fortinet_Factory

set range {global | vdom}

set source {factory | user | fortiguard}

end

end

GUI changes

Global and new VDOMs have the following factory default certificates:

These certificates are created automatically when a new VDOM is created, with every VDOM having its own versions of these certificates.

Example — Generate a CSR on the FortiGate unit

This example follows all the steps required to create and install a local certificate on the FortiGate unit, without using CA software.

The FortiGate unit is called myFortiGate60, and is located at 10.11.101.101 (a private IP address) and http://myfortigate.example.com. Mr. John Smith (john.smith@myfortigate.example.com) is the IT administrator for this FortiGate unit, and the unit belongs to the Sales department located in Greenwich, London, England.

To generate a certificate request on the FortiGate unit - GUI:
  1. Go to System > Certificates.
  2. Select Generate.
  3. In the Certificate Name field, enter myFortiGate60.
  4. note icon Do not include spaces in the certificate name. This will ensure compatibility of a signed certificate as a PKCS12 file to be exported later on if required.

    Since the IP address is private, we will use the FQDN instead.

  5. Select Domain Name, and enter http://myfortigate.example.com.
  6. Enter values in the Optional Information area to further identify the FortiGate unit.
  7. Organization Unit Sales
    Organization Example.com
    Locality (City) Greenwich
    State/Province London
    Country England
    e-mail john.smith@myfortigate.example.com
  8. From the Key Type list, select RSA or Elliptic Curve.
  9. If RSA is selected, set Key Size to 2048 Bit. If Elliptic Curve is selected, set Curve Name to secp256r1.
  10. In Enrollment Method, select File Based to generate the certificate request
  11. Select OK.
    The request is generated and displayed in the Local Certificates list with a status of pending.
  12. Select the Download button to download the request to the management computer.
  13. In the File Download dialog box, select Save and save the Certificate Signing Request on the local file system of the management computer.
  14. Name the file and save it on the local file system of the management computer.

Example — Generate and Import CA certificate with private key pair on OpenSSL

This example explains how to generate a certificate using OpenSSL on MS Windows. OpenSSL is available for Linux and Mac OS as well, however their terminology will vary slightly from what is presented here.

Assumptions

Before starting this procedure, ensure that you have downloaded and installed OpenSSL on Windows. One source is: http://www.slproweb.com/products/Win32OpenSSL.html.

Generating and importing the CA certificate and private key

The two following procedures will generate a CA certificate file and private key file, and then import it to the FortiGate unit as a local certificate.

To generate the private key and certificate
  1. At the Windows command prompt, go to the OpenSSL bin directory. If you installed to the default location this will be the command:
  2. cd c:\OpenSSL-Win32\bin

  3. Enter the following command to generate the private key. You will be prompted to enter your PEM pass phrase. Choose something easy to remember such as fortinet123.
  4. openssl genrsa -aes256 -out fgtcapriv.key 2048

    This command generates an RSA AES256 2048-bit encryption key.

  5. The following command will generate the certificate using the key from the previous step.
  6. openssl req -new -x509 -days 3650 -extensions v3_ca -key fgtcapriv.key -out fgtca.crt

    This step generates an X509 CA certificate good for 10 years that uses the key generated in the previous step. The certificate filename is fgtca.crt.

    You will be prompted to enter information such as PEM Pass Phrase from the previous step, Country Name, State, Organization Name, Organizational Unit (such as department name), Common Name (the FQDN), and Email Address.

To import the certificate to the FortiGate unit - GUI:
  1. Go to System > Certificates.
  2. Select Import > Local Certificate.
  3. Select Certificate for Type.
    Fields for Certificate file, Key file, and Password are displayed.
  4. For Certificate file, enter c:\OpenSSL-Win32\bin\fgtca.crt.
  5. For Key file, enter c:\OpenSSL-Win32\bin\fgtcapriv.key.
  6. For Password, enter the PEM Pass Phrase you entered earlier, such as fortinet123.
  7. Select OK.

The Certificate will be added to the list of Local Certificates and be ready for use. It will appear in the list as the filename you uploaded — fgtca.You can add comments to this certificate to make it clear where its from and how it is intended to be used. If you download the certificate from FortiOS, it is a .CER file.

It can now be used in Authenticating IPsec VPN users with security certificates, and Authenticating SSL VPN users with security certificates.

Example — Generate an SSL certificate in OpenSSL

This example explains how to generate a CA signed SSL certificate using OpenSSL on MS Windows. OpenSSL is available for Linux and Mac OS as well, however their terminology will vary slightly from what is presented here.

In this example, you will:

  • Generate a CA signed SSL certificate
  • Generate a self-signed SSL certificate
  • Import the SSL certificate into FortiOS

Assumptions

Generating a CA signed SSL certificate

This procedure assumes that you have already completed Example — Generate and Import CA certificate with private key pair on OpenSSL successfully.

To generate the CA signed SSL certificate:
  1. At the Windows command prompt, go to the OpenSSL bin directory. If you installed to the default location this will be the following command:
  2. cd c:\OpenSSL-Win32\bin

  3. Enter the following command to generate the private key. You will be prompted to enter your PEM pass phrase. Choose something easy to remember such as fortinet.
  4. openssl genrsa -aes256 -out fgtssl.key 2048

    This command generates an RSA AES256 2048-bit encryption key.

  5. Create a certificate signing request for the SSL certificate. This step requires you to enter the information listed in step 3 of the previous example — To generate the private key and certificate. You can leave the Challenge Password blank.
  6. openssl req -new -sha256 -key fgtssl.key -out fgtssl.csr

    note icon Most Certificate Authorities will ignore the value that is set in the CSR and use whatever value they are set to use in their configuration. This means that the client will likely need to modify their openssl.conf file to use SHA-256 (or another SHA-2 variant).
  7. Using the CSR from the previous step, you can now create the SSL certificate using the CA certificate that was created in Example — Generate and Import CA certificate with private key pair on OpenSSL.
  8. openssl x509 -req -days 365 -in fgtssl.csr -CA fgtca.crt -CAkey fgtcapriv.key -set_serial 01 -out fgtssl.crt

    This will generate an X.509 certificate good for 365 days signed by the CA certificate fgtca.crt.

Generating a self-signed SSL certificate

This procedures does not require any existing certificates.

  1. At the Windows command prompt, go to the OpenSSL bin directory. If you installed to the default location this will be the following command:
  2. cd c:\OpenSSL-Win32\bin

  3. Enter the following command to generate the private key. You will be prompted to enter your PEM pass phrase. Choose something easy to remember such as fortinet.
  4. openssl genrsa -aes256 -out fgtssl.key 2048

    openssl req -new -key fgtssl.key -out fgtssl.csr

    openssl x509 -req -days 365 -in fgtssl.csr -signkey fgtssl.key -out fgtssl.crt

    These commands:

  • generate an RSA AES256 2048-bit private key,
  • generate an SSL certificate signing request, and
  • sign the CSR to generate an SSL .CRT certificate file.

Import the SSL certificate into FortiOS

To import the certificate to FortiOS- GUI
  1. Go to System > Certificates.
  2. Select Import > Local Certificate.
  3. Select Certificate for Type.
    Fields for Certificate file, Key file, and Password are displayed.
  4. For Certificate file, enter c:\OpenSSL-Win32\bin\fgtssl.crt.
  5. For Key file, enter c:\OpenSSL-Win32\bin\fgtssl.key.
  6. For Password, enter the PEM Pass Phrase you entered, such as fortinet.
  7. Select OK.

The SSL certificate you just uploaded can be found under System > Certificates under the name of the file you uploaded — fgtssl.

To confirm the certificate is uploaded properly - CLI:

config vpn certificate local

edit fgtssl

get

end

The get command will display all the certificate’s information. If it is not there or the information is not correct, you will need to remove the corrupted certificate (if it is there) and upload it again from your PC.

To use the new SSL certificate - CLI

config vpn ssl settings

set servercert fgtssl

end

This assigns the fgtssl certificate as the SSL server certificate. For more information see the FortiOS Handbook SSL VPN guide.

Certificate-based authentication

This section provides an overview of how the FortiGate unit verifies the identities of administrators, SSL VPN users, or IPsec VPN peers using X.509 security certificates.

The following topics are included in this section:

What is a security certificate?

A security certificate is a small text file that is part of a third-party generated public key infrastructure (PKI) to help guarantee the identity of both the user logging on and the web site they where they are logging in.

A certificate includes identifying information such as the company and location information for the web site, as well as the third-party company name, the expiry date of the certificate, and the public key.

FortiGate units use X.509 certificates to authenticate single sign-on (SSO) for users. The X.509 standard has been in use since before 2000, but has gained popularity with the Internet’s increased popularity. X.509 v3 is defined in RFC 5280 and specifies standard formats for public key certificates, certificate revocation lists, and a certification path validation algorithm. The unused earlier X.509 version 1 was defined in RFC 1422.

The main difference between X.509 and PGP certificates is that where in PGP anyone can sign a certificate, for X.509 only a trusted authority can sign certificates. This limits the source of certificates to well known and trustworthy sources. Where PGP is well suited for one-to-one communications, the X.509 infrastructure is intended to be used in many different situations including one-to-many communications. Some common filename extensions for X.509 certificates are listed below.

Common certificate filename extensions
Filetype Format name Description
.pem Privacy Enhanced Mail (PEM)

Base64 encoded DER certificate, that uses:

“-----BEGIN CERTIFICATE-----” and

“-----END CERTIFICATE-----”

.cer

.crt

.der

Security Certificate Usually binary DER form, but Base64-encoded certificates are common too.

.p7b

.p7c

Structure without data, just certificates or CRLs.

PKCS#7 is a standard for signing or encrypting (officially called “enveloping”) data.

.p12 PKCS#12 May contain certificate(s) (public) and private keys (password protected).
.pfx personal information exchange (PFX) Older format. Came before PKCS#12. Usually today data is in PKCS#12 format.

Certificates overview

Certificates play a major role in authentication of clients connecting to network services via HTTPS, both for administrators and SSL VPN users. Certificate authentication is optional for IPsec VPN peers.

This section includes:

note icon

Public CA certificates found on the FortiGate are provided through firmware upgrades and installations.

Certificates and protocols

There are a number of protocols that are commonly used with certificates including SSL and HTTPS, and other certificate-related protocols.

SSL and HTTPS

The secure HTTP (HTTPS) protocol uses SSL. Certificates are an integral part of SSL. When a web browser connects to the FortiGate unit via HTTPS, a certificate is used to verify the FortiGate unit’s identity to the client. Optionally, the FortiGate unit can require the client to authenticate itself in return.

By default, the FortiGate unit uses a self-signed security certificate to authenticate itself to HTTPS clients. When the certificate is offered, the client browser displays two security messages.

  • The first message prompts users to accept and optionally install the FortiGate unit’s self-signed security certificate. If the user does not accept the certificate, the FortiGate unit refuses the connection. When the user accepts the certificate, the FortiGate login page is displayed, and the credentials entered by the user are encrypted before they are sent to the FortiGate unit. If the user chooses to install the certificate, the prompt is not displayed again.
  • Just before the FortiGate login page is displayed, a second message informs users that the FortiGate certificate distinguished name differs from the original request. This message is displayed because the FortiGate unit redirects the connection (away from the distinguished name recorded in the self-signed certificate) and can be ignored.

Optionally, you can install an X.509 server certificate issued by a certificate authority (CA) on the FortiGate unit. You can then configure the FortiGate unit to identify itself using the server certificate instead of the self-signed certificate.

For more information, see the FortiOS Handbook SSL VPN guide.

After successful certificate authentication, communication between the client browser and the FortiGate unit is encrypted using SSL over the HTTPS link.

Certificate-related protocols

There are multiple protocols that are required for handling certificates. These include the Online Certificate Status Protocol (OCSP), Simple Certificate Enrollment Protocol (SCEP), Server-based Certificate Validation Protocol (SCVP), and Certificate Management Protocol (CMP).

Online Certificate Status Protocol

Online Certificate Status Protocol (OCSP) allows the verification of X.509 certificate expiration dates. This is important to prevent hackers from changing the expiry date on an old certificate to a future date.

Normally certificate revocation lists (CRLs) are used, but OCSP is an alternate method available. However a CRL is a public list, and some companies may want to avoid the public exposure of their certificate structure even if it is only invalid certificates.

The OSCP check on the certificate’s revocation status is typically carried out over HTTP with a request-response format. The authority responding can reply with a status of good, revoked, or unknown for the certificate in question.

Simple Certificate Enrollment Protocol

Simple Certificate Enrollment Protocol (SCEP) is an automated method of signing up for certificates. Typically this involves generating a request you send directly to the SCEP service, instead of generating a file request that may or may not be signed locally.

Server-based Certificate Validation Protocol

Server-based Certificate Validation Protocol (SCVP) is used to trace a certificate back to a valid root level certificate. This ensures that each step along the path is valid and trustworthy.

Certificate Management Protocol version 2

Certificate Management Protocol version 2 (CMPv2) is an enrollment and revocation protocol for certificates.

IPsec VPNs and certificates

Certificate authentication is a more secure alternative to pre-shared key (shared secret) authentication for IPsec VPN peers. Unlike administrators or SSL VPN users, IPsec peers use HTTP to connect to the VPN gateway configured on the FortiGate unit. The VPN gateway configuration can require certificate authentication before it permits an IPsec tunnel to be established. See Authenticating IPsec VPN users with security certificates .

Certificate types on the FortiGate unit

There are different types of certificates available that vary depending on their intended use. FortiOS supports local, remote, CA, and CRL certificates.

Local certificates

Local certificates are issued for a specific server, or web site. Generally they are very specific, and often for an internal enterprise network. For example a personal web site for John Smith at www.example.com (such as http://www.example.com/home/jsmith) would have its own local certificate.

These can optionally be just the certificate file, or also include a private key file and PEM passphrase for added security.

For information about generating a certificate request, see Generating a certificate signing request. For information about installing a local certificate, see Obtaining and installing a signed server certificate from an external CA

Remote certificates

Remote certificates are public certificates without a private key. For dynamic certificate revocation, you need to use an Online Certificate Status Protocol (OCSP) server. The OCSP is configured in the CLI only. Installed Remote (OCSP) certificates are displayed in the Remote Certificates list. You can select Import to install a certificate from the management PC.

CA root certificates

CA root certificates are similar to local certificates, however they apply to a broader range of addresses or to whole company; they are one step higher up in the organizational chain. Using the local certificate example, a CA root certificate would be issued for all of www.example.com instead of just the smaller single web page.

Certificate revocation list

Certificate revocation list (CRL) is a list of certificates that have been revoked and are no longer usable. This list includes certificates that have expired, been stolen, or otherwise compromised. If your certificate is on this list, it will not be accepted. CRLs are maintained by the CA that issues the certificates and includes the date and time when the next CRL will be issued as well as a sequence number to help ensure you have the most current version of the CRL.

Certificate signing

The trust in a certificate comes from the authority that signs it. For example if VeriSign signs your CA root certificate, it is trusted by everyone. While these certificates are universally accepted, it is cumbersome and expensive to have all certificates on a corporate network signed with this level of trust.

With self-signed certificates nobody, except the other end of your communication, knows who you are and therefore they do not trust you as an authority. However this level is useful for encryption between two points — neither point may care about who signed the certificate, just that it allows both points to communicate. This is very useful for internal networks and communications.

A general rule is that CA signed certificates are accepted and sometimes required, but it is easier to self-sign certificates when you are able.

For more on the methods of certificate signing see Generating a certificate signing request.

BIOS certificate compatibility

FortiOS supports backwards compatibility between BIOS version 4 and BIOS version 3.

BIOS V4 certificates:
  • Fortinet_CA
  • Fortinet_Sub_CA
  • Fortinet_Factory
BIOS V3 certificates:
  • Fortinet_CA_Backup
  • Fortinet_Factory_Backup

When FortiOS connects to FortiGuard, FortiCloud, FortiManager, FortiAnalyzer, FortiSandbox as a client, the BIOS certificate Fortinet_Factory will be the default client certificate. When the server returns its certificate (chain) back, FortiOS looks up the issuer of the server certificate and either keeps client certificate as is or switches to the BIOS certificate Fortinet_Factory_Backup. This process occurs in one handshake.

When FortiOS connects to FortiCare, the BIOS certificate Fortinet_Factory is the only client certificate and Server Name Indication (SNI) is set. There is no switchover of certificate during SSL handshake.

When FortiOS acts as a server when connected by FortiExtender, FortiSwitch, FortiAP, etc., Fortinet_Factory is the default server certificate. FortiOS detects SNI in client hello, and if no SNI is found or if the CN in SNI is different from the CN of Fortinet_CA, it switches to use the Fortinet_Factory_Backup.

Managing X.509 certificates

Managing security certificates is required due to the number of steps involved in both having a certificate request signed, and then distributing the correct files for use.

You use the FortiGate unit or CA software such as OpenSSL to generate a certificate request. That request is a text file that you send to the CA for verification, or alternately you use CA software to self-validate. Once validated, the certificate file is generated and must be imported to the FortiGate unit before it can be used. These steps are explained in more detail later in this section.

This section provides procedures for generating certificate requests, installing signed server certificates, and importing CA root certificates and CRLs to the FortiGate unit.

For information about how to install root certificates, CRLs, and personal or group certificates on a remote client browser, refer to your browser’s documentation.

note icon

As a requirement of Network Device Collaborative Protection Profile (NDcPP), FortiOS supports and handles the use of wildcards for the following certificate reference parameters:

  • Subject Alternative Name (SAN)
  • Common Name (CN)

This section includes:

Generating a certificate signing request

Whether you create certificates locally with a software application or obtain them from an external certificate service, you will need to generate a certificate signing request (CSR).

When you generate a CSR, a private and public key pair is created for the FortiGate unit. The generated request includes the public key of the FortiGate unit and information such as the FortiGate unit’s public static IP address, domain name, or email address. The FortiGate unit’s private key remains confidential on the FortiGate unit.

After you submit the request to a CA, the CA will verify the information and register the contact information on a digital certificate that contains a serial number, an expiration date, and the public key of the CA. The CA will then sign the certificate, and you install the certificate on the FortiGate unit.

The Certificate Request Standard is a public key cryptography standard (PKCS) published by RSA, specifically PKCS10 which defines the format for CSRs. This is defined in RFC 2986.

To generate a certificate request in FortiOS - GUI:
  1. Go to System > Certificates.
  2. Select Generate.
  3. In the Certificate Name field, enter a unique meaningful name for the certificate request. Typically, this would be the hostname or serial number of the FortiGate unit or the domain of the FortiGate unit such as example.com.
  4. note icon Do not include spaces in the certificate name. This will ensure compatibility of a signed certificate as a PKCS12 file to be exported later on if required.
    note icon

    Prior to FortiOS 5.4, passwords for local certificates that were generated via either SCEP or CLI could not have their passwords reset. Passwords can be set in the CLI using the following command:

    config vpn certificate local

    edit <name>

    set password <password>

    next

    end

  5. Enter values in the Subject Information area to identify the FortiGate unit:
    • If the FortiGate unit has a static IP address, select Host IPand enter the public IP address of the FortiGate unit. If the FortiGate unit does not have a public IP address, use an email address (or fully qualified domain name (FQDN) if available) instead.
    • If the FortiGate unit has a dynamic IP address and subscribes to a dynamic DNS service, use a FQDN if available to identify the FortiGate unit. If you select Domain Name, enter the FQDN of the FortiGate unit. Do not include the protocol specification (http://) or any port number or path names.
    note iconIf a domain name is not available and the FortiGate unit subscribes to a dynamic DNS service, an “unable to verify certificate” type message may be displayed in the user’s browser whenever the public IP address of the FortiGate unit changes.
    • If you select E-Mail, enter the email address of the owner of the FortiGate unit.
  6. Enter values in the Optional Information area to further identify the FortiGate unit.
  7. Organization Unit Name of your department. You can enter a series of OUs up to a maximum of 5. To add or remove an OU, use the plus (+) or minus (-) icon.
    Organization Legal name of your company or organization.
    Locality (City) Name of the city or town where the FortiGate unit is installed.
    State/Province Name of the state or province where the FortiGate unit is installed.
    Country Select the country where the FortiGate unit is installed.
    e-mail Contact email address.
    Subject Alternative Name

    Optionally, enter one or more alternative names for which the certificate is also valid. Separate names with a comma. A name can be:

    • e-mail address
    • IP address
    • URI
    • DNS name (alternatives to the Common Name)
    • directory name (alternatives to the Distinguished Name)

    You must precede the name with the name type. Examples:

    IP:1.1.1.1

    email:test@fortinet.com

    email:my@other.address

    URI:http://my.url.here/

    Password for private key Option to export local certificate and its private key in password protected p12.
  8. From the Key Type list, select RSA or Elliptic Curve.
  9. From the Key Size list, select 1024 Bit, 1536 Bit, 2048 Bit, 4096 Bit or secp256r1, secp384r1, secp521r1 respectively. Larger keys are slower to generate but more secure.
  10. In Enrollment Method, you have two methods to choose from. Select File Based to generate the certificate request, or Online SCEP to obtain a signed SCEP-based certificate automatically over the network. For the SCEP method, enter the URL of the SCEP server from which to retrieve the CA certificate, and the CA server challenge password.
  11. Select OK.
  12. The request is generated and displayed in the Local Certificates list with a status of PENDING.
  13. Select the Download button to download the request to the management computer.
  14. In the File Download dialog box, select Save and save the Certificate Signing Request on the local file system of the management computer.
  15. Name the file and save it on the local file system of the management computer.

The certificate request is ready for the certificate authority to be signed.

Generating certificates with CA software

CA software allows you to generate unmanaged certificates and CA certificates for managing other certificates locally without using an external CA service. Examples of CA software include ssl-ca from OpenSSL (available for Linux, Windows, and Mac) or gensslcert from SuSE, MS Windows Server 2000 and 2003 come with a CA as part of their certificate services, and in MS Windows 2008 CA software can be installed as part of the Active Directory installation. See Example — Generate and Import CA certificate with private key pair on OpenSSL.

The general steps for generating certificates with CA software are

  1. Install the CA software as a stand-alone root CA.
  2. Provide identifying information for your self-administered CA.

While following these steps, the methods vary slightly when generating server certificates, CA certificates, and PKI certificates.

Server certificate

  1. Generate a Certificate Signing Request (CSR) on the FortiGate unit.
  2. Copy the CSR base-64 encoded text (PKCS10 or PKCS7) into the CA software and generate the certificate.
    PKCS10 is the format used to send the certificate request to the signing authority. PKCS7 is the format the signing authority can use for the newly signed certificate.
  3. Export the certificate as a X.509 DER encoded binary file with .CER extension
  4. Upload the certificate file to the FortiGate unit Local Certificates page (type is Certificate).

CA certificate

  1. Retrieve the CA Certificate from the CA software as a DER encoded file.
  2. Import the CA certificate file to the FortiGate unit at System > Certificates and select Import > Certificates.

PKI certificate

  1. Generate a Certificate Signing Request (CSR) on the FortiGate unit.
  2. Copy the CSR base-64 encoded text (PKCS#10 or PKCS#7) into the CA software and generate the certificate.
    PKCS10 is the format used to send the certificate request to the signing authority. PKCS7 is the format the signing authority can use for the newly signed certificate.
  3. Export the certificate as a X.509 DER encoded binary file with .CER extension.
  4. Install the certificate in the user’s web browser or IPsec VPN client as needed.

Obtaining and installing a signed server certificate from an external CA

To obtain a signed server certificate for a FortiGate unit, you must send a request to a CA that provides digital certificates that adhere to the X.509 standard. The FortiGate unit provides a way for you to generate the request.

To submit the certificate signing request (file-based enrollment):
  1. Using the web browser on the management computer, browse to the CA web site.
  2. Follow the CA instructions for a base-64 encoded PKCS#10 certificate request and upload your certificate request.
  3. Follow the CA instructions to download their root certificate and CRL.
    When you receive the signed server certificate from the CA, install the certificate on the FortiGate unit.
To install or import the signed server certificate - GUI
  1. On the FortiGate unit, go to System > Certificates and select Import > Local Certificates.
  2. From Type, select Local Certificate.
  3. Select Browse, browse to the location on the management computer where the certificate was saved, select the certificate, and then select Open.
  4. Select OK, and then select Return.

Installing a CA root certificate and CRL to authenticate remote clients

When you apply for a signed personal or group certificate to install on remote clients, you can obtain the corresponding root certificate and CRL from the issuing CA. When you receive the signed personal or group certificate, install the signed certificate on the remote client(s) according to the browser documentation. Install the corresponding root certificate (and CRL) from the issuing CA on the FortiGate unit according to the procedures given below.

To install a CA root certificate
  1. After you download the root certificate of the CA, save the certificate on the management computer. Or, you can use online SCEP to retrieve the certificate.
  2. On the FortiGate unit, go to System > Certificates and select Import > CA Certificates.
  3. Do one of the following:
    • To import using SCEP, select SCEP. Enter the URL of the SCEP server from which to retrieve the CA certificate. Optionally, enter identifying information of the CA, such as the filename.
    • To import from a file, select Local PC, then select Browse and find the location on the management computer where the certificate has been saved. Select the certificate, and then select Open.
  4. Select OK, and then select Return.

The system assigns a unique name to each CA certificate. The names are numbered consecutively (CA_Cert_1, CA_Cert_2, CA_Cert_3, and so on).

To import a certificate revocation list

A Certificate Revocation List (CRL) is a list of the CA certificate subscribers paired with certificate status information. The list contains the revoked certificates and the reason(s) for revocation. It also records the certificate issue dates and the CAs that issued them.

When configured to support SSL VPNs, the FortiGate unit uses the CRL to ensure that the certificates belonging to the CA and remote peers or clients are valid. The CRL has an “effective date” and a “next update” date. The interval is typically 7 days (for Microsoft CA). FortiOS will update the CRL automatically. Also, there is a CLI command to specify an “update-interval” in seconds. Recommendation should be 24 hours (86400 seconds) but depends on company security policy.

  1. After you download the CRL from the CA web site, save the CRL on the management computer.
  2. Go to System > Certificates and select Import > CRL.
  3. Do one of the following:
    • To import using an HTTP server, select HTTP and enter the URL of the HTTP server.
    • To import using an LDAP server see this KB article.
    • To import using an SCEP server, select SCEP and select the Local Certificate from the list. Enter the URL of the SCEP server from which the CRL can be retrieved.
    • To import from a file, select Local PC, then select Browse and find the location on the management computer where the CRL has been saved. Select the CRL and then select Open.
  4. Select OK, and then select Return.
To import a PKCS12 certificate from the CLI

The following CLI syntax can be entered to import a local certificate file:

execute vpn certificate local import tftp <file name> <tftp ip address> <file type> <Enter for 'cer'>|<password for 'p12'>

For example:

execute vpn certificate local import tftp FGTF-extern.p12 10.1.100.253 p12 123456

In addition, the following CLI syntax can be entered to update certificate bundles from an FTP or TFTP server:

execute vpn certificate ca import bundle <file-name.pkg> <ftp/tftp-server-ip>

ExtendedKeyUsage for x.509 certificates

As per Network Device Collaborative Protection Profile (NDcPP) v1.0 requirements, server certificates used for TLS connections between FortiGate and FortiAnalyzer have the "Server Authentication" and "Client Authentication" extendedKeyUsage fields in FIPS/CC mode.

The following CLI command is available under log fortianalyzer setting to allow you to specify the certificate used to communicate with FortiAnalyzer.

CLI syntax

config log fortianalyzer setting

set certificate <name>

end

Troubleshooting certificates

There are times when there are problems with certificates — a certificate is seen as expired when its not, or it can’t be found. Often the problem is with a third party web site, and not FortiOS. However, some problems can be traced back to FortiOS such as DNS or routing issues.

Enable and disable SHA1 algorithm in SSH key exchanges

In order to investigate your security and conduct compliance testing, a global option allows you to enable/disable SHA1 algorithm in SSH key exchange. Note that, the algorithm is enabled by default.

Syntax

config system global

set ssh-key-sha1 {enable | disable}

end

Certificate incorrectly reported as expired

Certificates often are issued for a set period of time such as a day or a month, depending on their intended use. This ensures everyone is using up-to-date certificates. It is also more difficult for hackers to steal and use old certificates.

Reasons a certificate may be reported as expired include:

  • It really has expired based on the “best before” date in the certificate
  • The FortiGate unit clock is not properly set. If the FortiGate clock is fast, it will see a certificate as expired before the expiry date is really here.
  • The requesting server clock is not properly set. A valid example is if your certificate is 2 hours from expiring, a server more than two time zones away would see the certificate as expired. Otherwise, if the server’s clock is set wrongly it will also have the same effect.
  • The certificate was revoked by the issuer before the expiry date. This may happen if the issuer believes a certificate was either stolen or misused. Its possible it is due to reasons on the issuer’s side, such as a system change or such. In either case it is best to contact the certificate issuer to determine what is happening and why.

A secure connection cannot be completed (certificate cannot be found)

Everyone who uses a browser has encountered a message such as This connection is untrusted. Normally when you try to connect securely to a web site, that web site will present its valid certificate to prove their identity is valid. When the web site's certificate cannot be verified as valid, the message appears stating This connection is untrusted or something similar. If you usually connect to this web site without problems, this error could mean that someone is trying to impersonate or hijack the web site, and best practices dictates you not continue.

Reasons a web site’s certificate cannot be validated include:

  • The web site uses an unrecognized self-signed certificate. These are not secure because anyone can sign them. If you accept self-signed certificates you do so at your own risk. Best practices dictate that you must confirm the ID of the web site using some other method before you accept the certificate.
  • The certificate is valid for a different domain. A certificate is valid for a specific location, domain, or sub-section of a domain such as one certificate for support.example.com that is not valid for marketing.example.com. If you encounter this problem, contact the webmaster for the web site to inform them of the problem.
  • There is a DNS or routing problem. If the web site’s certificate cannot be verified, it will not be accepted. Generally to be verified, your system checks with the third party certificate signing authority to verify the certificate is valid. If you cannot reach that third party due to some DNS or routing error, the certificate will not be verified.
  • Firewall is blocking required ports. Ensure that any firewalls between the requesting computer and the web site allow the secure traffic through the firewall. Otherwise a hole must be opened to allow it through. This includes ports such as 443 (HTTPS) and 22 (SSH).

Online updates to certificates and CRLs

If you obtained your local or CA certificate using SCEP, you can configure online renewal of the certificate before it expires. Similarly, you can receive online updates to CRLs.

Local certificates

In the config vpn certificate local command, you can specify automatic certificate renewal. The relevant fields are:

scep-url <URL_str> The URL of the SCEP server. This can be HTTP or HTTPS. The following options appear after you add the <URL_str>.
scep-password <password_str> The password for the SCEP server.
auto-regenerate-days <days_int> How many days before expiry the FortiGate unit requests an updated local certificate. The default is 0, no auto-update.
auto-regenerate-days-warning <days_int> How many days before local certificate expiry the FortiGate generates a warning message. The default is 0, no warning.

In this example, an updated certificate is requested three days before it expires.

config vpn certificate local

edit mycert

set scep-url http://scep.example.com/scep

set scep-server-password my_pass_123

set auto-regenerate-days 3

set auto-regenerate-days-warning 2

end

CA certificates

In the config vpn certificate ca command, you can specify automatic certificate renewal. The relevant fields are:

Variable Description
scep-url <URL_str> The URL of the SCEP server. This can be HTTP or HTTPS.
auto-update-days <days_int> How many days before expiry the FortiGate unit requests an updated CA certificate. The default is 0, no auto-update.
auto-update-days-warning <days_int> How many days before CA certificate expiry the FortiGate generates a warning message. The default is 0,no warning.

In this example, an updated certificate is requested three days before it expires.

config vpn certificate ca

edit mycert

set scep-url http://scep.example.com/scep

set auto-update-days 3

set auto-update-days-warning 2

end

Certificate revocation lists

If you obtained your CRL using SCEP, you can configure online updates to the CRL using the config vpn certificate crl command. The relevant fields are:

Variable Description
http-url <http_url> URL of the server used for automatic CRL certificate updates. This can be HTTP or HTTPS.
scep-cert <scep_certificate> Local certificate used for SCEP communication for CRL auto-update.
scep-url <scep_url> URL of the SCEP CA server used for automatic CRL certificate updates. This can be HTTP or HTTPS.
update-interval <seconds> How frequently, in seconds, the FortiGate unit checks for an updated CRL. Enter 0 to update the CRL only when it expires. Not available for http URLs.
update-vdom <update_vdom> VDOM used to communicate with remote SCEP server for CRL auto-update.

In this example, an updated CRL is requested only when it expires.

config vpn certificate crl

edit cert_crl

set http-url http://scep.example.com/scep

set scep-cert my-scep-cert

set scep-url http://scep.ca.example.com/scep

set update-interval 0

set update-vdom root

end

Backing up and restoring local certificates

The FortiGate unit provides a way to export and import a server certificate and the FortiGate unit’s personal key through the CLI. If required (to restore the FortiGate unit configuration), you can import the exported file through the System > Certificates page of the GUI.

note icon As an alternative, you can back up and restore the entire FortiGate configuration through the System Information widget on the Dashboard of the GUI. Look for [Backup] and [Restore] in the System Configuration row. The backup file is created in a FortiGate-proprietary format.
To export a server certificate and private key - CLI:

This procedure exports a server (local) certificate and private key together as a password protected PKCS12 file. The export file is created through a customer-supplied TFTP server. Ensure that your TFTP server is running and accessible to the FortiGate unit before you enter the command.

  1. Connect to the FortiGate unit through the CLI.
  2. Type the following command:

    execute vpn certificate local export tftp <cert_name> <exp_filename> <tftp_ip> <password>

    where:

    • <cert_name> is the name of the server certificate; typing ? displays a list of installed server certificates.
    • <exp_filename> is a name for the output file.
    • <tftp_ip> is the IP address assigned to the TFTP server host interface.
  3. Move the output file from the TFTP server location to the management computer for future reference.
To import a server certificate and private key - GUI:
  1. Go to System > Certificates and select Import.
  2. In Type, select PKCS12 Certificate.
  3. Select Browse. Browse to the location on the management computer where the exported file has been saved, select the file, and then select Open.
  4. In the Password field, type the password needed to upload the exported file.
  5. Select OK, and then select Return.
To import a server certificate and private key - CLI:
  1. Connect to the FortiGate unit through the CLI.
  2. Type the following command:
  3. execute vpn certificate local import tftp <file_name> <tftp_ip_address> <file_type> <Enter for 'cer'>|<password for 'p12'>

    For example:

    execute vpn certificate local import tftp FGTF-extern.p12 10.1.100.253 p12 123456

To import separate server certificate and private key files - GUI

Use the following procedure to import a server certificate and the associated private key file when the server certificate request and private key were not generated by the FortiGate unit. The two files to import must be available on the management computer.

  1. Go to System > Certificates and select Import.
  2. In Type, select Certificate.
  3. Select the Browse button beside the Certificate file field. Browse to the location on the management computer where the certificate file has been saved, select the file, and then select Open.
  4. Select the Browse button beside the Key file field. Browse to the location on the management computer where the key file has been saved, select the file, and then select Open.
  5. If required, in the Password field, type the associated password, and then select OK.
  6. Select Return.

Configuring certificate-based authentication

You can configure certificate-based authentication for FortiGate administrators, SSL VPN users, and IPsec VPN users.

In Microsoft Windows 7, you can use the certificate manager to keep track of all the different certificates on your local computer. To access certificate manager, in Windows 7 press the Windows key, enter “certmgr.msc” at the search prompt, and select the displayed match. Remember that in addition to these system certificates, many applications require you to register certificates with them directly.

To see FortiClient certificates, open the FortiClient Console, and select VPN. The VPN menu has options for My Certificates (local or client) and CA Certificates (root or intermediary certificate authorities). Use Import on those screens to import certificate files from other sources.

Authenticating administrators with security certificates

You can install a certificate on the management computer to support strong authentication for administrators.

To enable strong administrative authentication:

  • Obtain a signed personal certificate for the administrator from a CA and load the signed personal certificate into the web browser on the management computer according to the browser documentation.
  • Install the root certificate and the CRL from the issuing CA on the FortiGate unit (see Installing a CA root certificate and CRL to authenticate remote clients ).
  • Create a PKI user account for the administrator.
  • Add the PKI user account to a firewall user group dedicated to PKI-authenticated administrators.
  • In the administrator account configuration, select PKI as the account Type and select the User Group to which the administrator belongs.

Support exact match for subject and CN fields in peer user

In order to avoid any unintentional admin access by regular users, administrators can specify which way a peer user authenticates.

When searching for a matching certificate, use the commands below to control how to find matches in the certificate subject name (subject-match) or the cn attribute (cn-match) of the certificate subject name. This match can be any string (substring) or an exact match (value) of the cn attribute value.

To determine certificate subject name matches - CLI:

config vpn certificate setting

edit <name>

set subject-match {substring | value}

set cn-match {substring | value}

next

end

Authenticating SSL VPN users with security certificates

While the default self-signed certificates can be used for HTTPS connections, it is preferable to use the X.509 server certificate to avoid the redirection as it can be misinterpreted as possible session hijacking. However, the server certificate method is more complex than self-signed security certificates. Also the warning message is typically displayed for the initial connection, and future connections will not generate these messages.

X.509 certificates can be used to authenticate IPsec VPN peers or clients, or SSL VPN clients. When configured to authenticate a VPN peer or client, the FortiGate unit prompts the VPN peer or client to authenticate itself using the X.509 certificate. The certificate supplied by the VPN peer or client must be verifiable using the root CA certificate installed on the FortiGate unit in order for a VPN tunnel to be established.

To enable certificate authentication for an SSL VPN user group:
  1. Install a signed server certificate on the FortiGate unit and install the corresponding root certificate (and CRL) from the issuing CA on the remote peer or client.
  2. Obtain a signed group certificate from a CA and load the signed group certificate into the web browser used by each user. Follow the browser documentation to load the certificates.
  3. Install the root certificate and the CRL from the issuing CA on the FortiGate unit (see Installing a CA root certificate and CRL to authenticate remote clients ).
  4. Create a PKI user for each SSL VPN user. For each user, specify the text string that appears in the Subject field of the user’s certificate and then select the corresponding CA certificate.
  5. Use the config user peergrp CLI command to create a peer user group. Add to this group all of the SSL VPN users who are authenticated by certificate.
  6. Go to Policy & Objects > IPv4 Policy.
  7. Edit the SSL-VPN security policy.
  8. Select the user group created earlier in the Source User(s) field.
  9. Select OK.

Authenticating IPsec VPN users with security certificates

To require VPN peers to authenticate by means of a certificate, the FortiGate unit must offer a certificate to authenticate itself to the peer.

To enable the FortiGate unit to authenticate itself with a certificate:
  1. Install a signed server certificate on the FortiGate unit.
    See To install or import the signed server certificate - GUI.
  2. Install the corresponding CA root certificate on the remote peer or client. If the remote peer is a FortiGate unit, see To install a CA root certificate.
  3. Install the certificate revocation list (CRL) from the issuing CA on the remote peer or client. If the remote peer is a FortiGate unit, see To import a certificate revocation list.
  4. In the VPN phase 1 configuration, set Authentication Method to Signature and from the Certificate Name list select the certificate that you installed in Step 1.

To authenticate a VPN peer using a certificate, you must install a signed server certificate on the peer. Then, on the FortiGate unit, the configuration depends on whether there is only one VPN peer or if this is a dialup VPN that can be multiple peers.

To configure certificate authentication of a single peer
  1. Install the CA root certificate and CRL.
  2. Create a PKI user to represent the peer. Specify the text string that appears in the Subject field of the user’s certificate and then select the corresponding CA certificate.
  3. In the VPN phase 1 Peer Options, select peer certificate for Accept Types field and select the PKI user that you created in the Peer certificate field.
To configure certificate authentication of multiple peers (dialup VPN)
  1. Install the corresponding CA root certificate and CRL.
  2. Create a PKI user for each remote VPN peer. For each user, specify the text string that appears in the Subject field of the user’s certificate and then select the corresponding CA certificate.
  3. Use the config user peergrp CLI command to create a peer user group. Add to this group all of the PKI users who will use the IPsec VPN.

In the VPN phase 1 Peer Options, select peer certificate group for Accept Types field and select the PKI user group that you created in the Peer certificate group field.

Support for per-VDOM certificates

The CA and local certificate configuration is available per-VDOM. When an admin uploads a certificate to a VDOM, it will only be accessible inside that VDOM. When an admin uploads a certificate to global, it will be accessible to all VDOMs and global.

There are factory default certificates such as Fortinet_CA_SSL, Fortinet_SSL, Fortinet_Wifi, and Fortinet_Factory. These certificates are moved to per-VDOM and automatically generated when a new VDOM is created.

note icon The Fortinet_Firmware certificate has been removed and all the attributes that use Fortinet_Firmware now use Fortinet_Factory.
CLI changes

Two new attributes range and source have been added:

range can be global or per-VDOM, if the certificate file is imported from global, it is a global certificate. If the certificate file is imported from a VDOM, it is VDOM certificate.

source can be either factory, user, or fortiguard:

  • factory: The factory certificate file with FortiOS version, this includes: Fortinet_CA_SSL, Fortinet_SSL, PositiveSSL_CA, Fortinet_Wifi, Fortinet_Factory.
  • user: Certificate file imported by the user.
  • fortiguard: Certificate file imported from FortiGuard.

config certificate local

edit Fortinet_Factory

set range {global | vdom}

set source {factory | user | fortiguard}

end

end

GUI changes

Global and new VDOMs have the following factory default certificates:

These certificates are created automatically when a new VDOM is created, with every VDOM having its own versions of these certificates.

Example — Generate a CSR on the FortiGate unit

This example follows all the steps required to create and install a local certificate on the FortiGate unit, without using CA software.

The FortiGate unit is called myFortiGate60, and is located at 10.11.101.101 (a private IP address) and http://myfortigate.example.com. Mr. John Smith (john.smith@myfortigate.example.com) is the IT administrator for this FortiGate unit, and the unit belongs to the Sales department located in Greenwich, London, England.

To generate a certificate request on the FortiGate unit - GUI:
  1. Go to System > Certificates.
  2. Select Generate.
  3. In the Certificate Name field, enter myFortiGate60.
  4. note icon Do not include spaces in the certificate name. This will ensure compatibility of a signed certificate as a PKCS12 file to be exported later on if required.

    Since the IP address is private, we will use the FQDN instead.

  5. Select Domain Name, and enter http://myfortigate.example.com.
  6. Enter values in the Optional Information area to further identify the FortiGate unit.
  7. Organization Unit Sales
    Organization Example.com
    Locality (City) Greenwich
    State/Province London
    Country England
    e-mail john.smith@myfortigate.example.com
  8. From the Key Type list, select RSA or Elliptic Curve.
  9. If RSA is selected, set Key Size to 2048 Bit. If Elliptic Curve is selected, set Curve Name to secp256r1.
  10. In Enrollment Method, select File Based to generate the certificate request
  11. Select OK.
    The request is generated and displayed in the Local Certificates list with a status of pending.
  12. Select the Download button to download the request to the management computer.
  13. In the File Download dialog box, select Save and save the Certificate Signing Request on the local file system of the management computer.
  14. Name the file and save it on the local file system of the management computer.

Example — Generate and Import CA certificate with private key pair on OpenSSL

This example explains how to generate a certificate using OpenSSL on MS Windows. OpenSSL is available for Linux and Mac OS as well, however their terminology will vary slightly from what is presented here.

Assumptions

Before starting this procedure, ensure that you have downloaded and installed OpenSSL on Windows. One source is: http://www.slproweb.com/products/Win32OpenSSL.html.

Generating and importing the CA certificate and private key

The two following procedures will generate a CA certificate file and private key file, and then import it to the FortiGate unit as a local certificate.

To generate the private key and certificate
  1. At the Windows command prompt, go to the OpenSSL bin directory. If you installed to the default location this will be the command:
  2. cd c:\OpenSSL-Win32\bin

  3. Enter the following command to generate the private key. You will be prompted to enter your PEM pass phrase. Choose something easy to remember such as fortinet123.
  4. openssl genrsa -aes256 -out fgtcapriv.key 2048

    This command generates an RSA AES256 2048-bit encryption key.

  5. The following command will generate the certificate using the key from the previous step.
  6. openssl req -new -x509 -days 3650 -extensions v3_ca -key fgtcapriv.key -out fgtca.crt

    This step generates an X509 CA certificate good for 10 years that uses the key generated in the previous step. The certificate filename is fgtca.crt.

    You will be prompted to enter information such as PEM Pass Phrase from the previous step, Country Name, State, Organization Name, Organizational Unit (such as department name), Common Name (the FQDN), and Email Address.

To import the certificate to the FortiGate unit - GUI:
  1. Go to System > Certificates.
  2. Select Import > Local Certificate.
  3. Select Certificate for Type.
    Fields for Certificate file, Key file, and Password are displayed.
  4. For Certificate file, enter c:\OpenSSL-Win32\bin\fgtca.crt.
  5. For Key file, enter c:\OpenSSL-Win32\bin\fgtcapriv.key.
  6. For Password, enter the PEM Pass Phrase you entered earlier, such as fortinet123.
  7. Select OK.

The Certificate will be added to the list of Local Certificates and be ready for use. It will appear in the list as the filename you uploaded — fgtca.You can add comments to this certificate to make it clear where its from and how it is intended to be used. If you download the certificate from FortiOS, it is a .CER file.

It can now be used in Authenticating IPsec VPN users with security certificates, and Authenticating SSL VPN users with security certificates.

Example — Generate an SSL certificate in OpenSSL

This example explains how to generate a CA signed SSL certificate using OpenSSL on MS Windows. OpenSSL is available for Linux and Mac OS as well, however their terminology will vary slightly from what is presented here.

In this example, you will:

  • Generate a CA signed SSL certificate
  • Generate a self-signed SSL certificate
  • Import the SSL certificate into FortiOS

Assumptions

Generating a CA signed SSL certificate

This procedure assumes that you have already completed Example — Generate and Import CA certificate with private key pair on OpenSSL successfully.

To generate the CA signed SSL certificate:
  1. At the Windows command prompt, go to the OpenSSL bin directory. If you installed to the default location this will be the following command:
  2. cd c:\OpenSSL-Win32\bin

  3. Enter the following command to generate the private key. You will be prompted to enter your PEM pass phrase. Choose something easy to remember such as fortinet.
  4. openssl genrsa -aes256 -out fgtssl.key 2048

    This command generates an RSA AES256 2048-bit encryption key.

  5. Create a certificate signing request for the SSL certificate. This step requires you to enter the information listed in step 3 of the previous example — To generate the private key and certificate. You can leave the Challenge Password blank.
  6. openssl req -new -sha256 -key fgtssl.key -out fgtssl.csr

    note icon Most Certificate Authorities will ignore the value that is set in the CSR and use whatever value they are set to use in their configuration. This means that the client will likely need to modify their openssl.conf file to use SHA-256 (or another SHA-2 variant).
  7. Using the CSR from the previous step, you can now create the SSL certificate using the CA certificate that was created in Example — Generate and Import CA certificate with private key pair on OpenSSL.
  8. openssl x509 -req -days 365 -in fgtssl.csr -CA fgtca.crt -CAkey fgtcapriv.key -set_serial 01 -out fgtssl.crt

    This will generate an X.509 certificate good for 365 days signed by the CA certificate fgtca.crt.

Generating a self-signed SSL certificate

This procedures does not require any existing certificates.

  1. At the Windows command prompt, go to the OpenSSL bin directory. If you installed to the default location this will be the following command:
  2. cd c:\OpenSSL-Win32\bin

  3. Enter the following command to generate the private key. You will be prompted to enter your PEM pass phrase. Choose something easy to remember such as fortinet.
  4. openssl genrsa -aes256 -out fgtssl.key 2048

    openssl req -new -key fgtssl.key -out fgtssl.csr

    openssl x509 -req -days 365 -in fgtssl.csr -signkey fgtssl.key -out fgtssl.crt

    These commands:

  • generate an RSA AES256 2048-bit private key,
  • generate an SSL certificate signing request, and
  • sign the CSR to generate an SSL .CRT certificate file.

Import the SSL certificate into FortiOS

To import the certificate to FortiOS- GUI
  1. Go to System > Certificates.
  2. Select Import > Local Certificate.
  3. Select Certificate for Type.
    Fields for Certificate file, Key file, and Password are displayed.
  4. For Certificate file, enter c:\OpenSSL-Win32\bin\fgtssl.crt.
  5. For Key file, enter c:\OpenSSL-Win32\bin\fgtssl.key.
  6. For Password, enter the PEM Pass Phrase you entered, such as fortinet.
  7. Select OK.

The SSL certificate you just uploaded can be found under System > Certificates under the name of the file you uploaded — fgtssl.

To confirm the certificate is uploaded properly - CLI:

config vpn certificate local

edit fgtssl

get

end

The get command will display all the certificate’s information. If it is not there or the information is not correct, you will need to remove the corrupted certificate (if it is there) and upload it again from your PC.

To use the new SSL certificate - CLI

config vpn ssl settings

set servercert fgtssl

end

This assigns the fgtssl certificate as the SSL server certificate. For more information see the FortiOS Handbook SSL VPN guide.