Uploading a certificate using the GUI
On the System > Certificates page, there are two options to add a certificate: Generate (use a certificate signing request) and Import.
Generate certificate signing request
Certificate signing requests (CSRs) are used to generate a certificate which is then signed by a CA to create a chain of trust. The CSR includes details of the FortiGate (see table below) and its public key. A CSR is not strictly necessary; some CAs allow you to provide the details of the FortiGate manually, but a CSR helps streamline the process. Selecting Generate takes you the Generate Certificate Signing Request page to enter the following information:
Certificate Name |
Enter the certificate name; this is how it will appear in the Local Certificates list. |
|
Subject Information |
Specify an ID type: host IP address, domain name (FQDN), or email address. |
|
Optional Information |
Although listed as optional, we recommended entering the information for each field in this section. If you are generating a CSR for a third-party CA, you need to insure that these values reflect those listed for your company or organization at said certificate authority. If you are generating a certificate for a Microsoft CA, you need to check with the administrator regarding these values. |
|
|
Organization Unit |
Enter the name of the organizational unit under which the certificate will be issued. |
|
Organization |
Enter the overall name of the organization. |
|
Locality(City) |
Enter the city where the SSL certificate is located. |
|
State / Province |
Some issuers will reject a CSR that has an abbreviated state or province, so enter the full name of the state or province. |
|
Country / Region |
Enable the option and select the country from the dropdown. |
|
|
Enter the email address of the technical contact for the SSL certificate that is being requested. |
|
Subject Alternative Name |
This field allows multiple domains to be used in an SSL certificate. Select from email addresses, IP addresses, URIs, DNS names, and so on. |
|
Password for private key |
If supplied, this is used as an encryption password for the private key file. |
|
Key Type |
Select RSA or Elliptic Curve. |
|
Key Size |
When Key Type is RSA, select 1024, 1536, 2048, or 4096 for bit-size/strength. We recommend using at least 2048 if your CA can issue certificates of that size. |
|
Curve Name |
When Key Type is Elliptic Curve, select the elliptic curve type: secp256r1, secp384r1, or secp521r1. |
|
Enrollment Method |
Select one of the following methods that determines how the CSR will be signed.
|
Import
Although Import is often used in conjunction with a CSR, you may upload a certificate to the FortiGate that was generated on its own. This is typical of wildcard certificates (*.domain.tld) where the same certificate is used across multiple devices (FGT.domain.tld, FAZ.domain.tld, and so on), but may be used for individual certificates so long as the information provided to the signing CA matches that of the FortiGate.
When selecting Import, there are four options: Local Certificate, CA Certificate, Remote Certificate, and CRL.
Local certificate
Local certificates are used by the FortiGate to identify itself, or a service it provides, such as HTTPS administrative access, SSL VPN user portal, or virtual server load balancing where the FortiGate masquerades as the destination server. When selecting Local Certificate, three certificate type options appear in the Import Certificate pane:
Local Certificate |
There is no field to upload a key with this option. Use this option when you have created a CSR on the FortiGate, as the key is generated as part of the CSR process and remains on the FortiGate. You will need to upload a .CER file. |
PKCS #12 Certificate |
This option takes a specific certificate file type that contains the private key. The certificate will be encrypted and a password must be supplied with the certificate file. |
Certificate |
This option is intended for certificates that were generated without using the FortiGate’s CSR. Since the certificate private key is being uploaded, a password is required. This can be done two ways:
|
CA certificate
FortiGates come with many CA certificates from well-known certificate authorities pre-installed, just as most modern operating systems like Windows and MacOS. Use this option to add private CA certificates to the FortiGate so that certificates signed by this private CA are trusted by the FortiGate.
For example, a private CA can be used when two FortiGates are establishing a site-to-site VPN tunnel using a certificate not signed by a public or trustworthy CA, or for your LDAPS connection to your corporate AD server that also uses a certificate signed with a private CA in your domain. It is very common to upload a private CA when using PKI user authentication, since most PKI user certificates will be signed by an internal CA.
When selecting CA Certificate, two type options appear in the Import CA Certificate pane:
Online SCEP |
The FortiGate contacts an SCEP server to request the CA certificate. |
File |
The CA certificate is uploaded directly to the FortiGate. |
Remote certificate
Remote certificates are public certificates and contain only the public key. They are used to identify a remote device. For example, when configuring your FortiGate for SAML authentication with the FortiGate as an identity provider (IdP), you can optionally specify the service provider (SP) certificate. However, when configuring your FortiGate as a SP, you must specify the certificate used by the IdP. Both these certificates can be uploaded to the FortiGate as a remote certificate, since the private key is not necessary for its implementation.
CRL
Since it is not possible to recall a certificate, the CRL (certificate revocation list) list details certificates signed by valid CAs that should no longer be trusted. Certificates may be revoked for many reasons, such as if the certificate was issued erroneously, or if the private key of a valid certificate has been compromised. When selecting CRL, two import methods are available:
File Based |
CAs publish a file containing the list of certificates that should no longer be trusted. |
Online Updating |
This is the preferred way to keep the list of revoked certificates up to date. Three protocols are offered: HTTP, LDAP, and SCEP. |