Fortinet white logo
Fortinet white logo

Administration Guide

Uploading a certificate using the GUI

Uploading a certificate using the GUI

On the System > Certificates page, there are two options to add a certificate: Generate (use a certificate signing request) and Import.

Generate certificate signing request

Certificate signing requests (CSRs) are used to generate a certificate which is then signed by a CA to create a chain of trust. The CSR includes details of the FortiGate (see table below) and its public key. A CSR is not strictly necessary; some CAs allow you to provide the details of the FortiGate manually, but a CSR helps streamline the process. Selecting Generate takes you the Generate Certificate Signing Request page to enter the following information:

Certificate Name

Enter the certificate name; this is how it will appear in the Local Certificates list.

Subject Information

Specify an ID type: host IP address, domain name (FQDN), or email address.

Optional Information

Although listed as optional, we recommended entering the information for each field in this section.

If you are generating a CSR for a third-party CA, you need to insure that these values reflect those listed for your company or organization at said certificate authority. If you are generating a certificate for a Microsoft CA, you need to check with the administrator regarding these values.

Organization Unit

Enter the name of the organizational unit under which the certificate will be issued.

Organization

Enter the overall name of the organization.

Locality(City)

Enter the city where the SSL certificate is located.

State / Province

Some issuers will reject a CSR that has an abbreviated state or province, so enter the full name of the state or province.

Country / Region

Enable the option and select the country from the dropdown.

E-Mail

Enter the email address of the technical contact for the SSL certificate that is being requested.

Subject Alternative Name

This field allows multiple domains to be used in an SSL certificate. Select from email addresses, IP addresses, URIs, DNS names, and so on.

Password for private key

If supplied, this is used as an encryption password for the private key file.

Key Type

Select RSA or Elliptic Curve.

Key Size

When Key Type is RSA, select 1024, 1536, 2048, or 4096 for bit-size/strength. We recommend using at least 2048 if your CA can issue certificates of that size.

Curve Name

When Key Type is Elliptic Curve, select the elliptic curve type: secp256r1, secp384r1, or secp521r1.

Enrollment Method

Select one of the following methods that determines how the CSR will be signed.

  • File Based: this will generate a certificate in the certificate menu under Local Certificate, which differs from the existing ones because it has no Subject, Comments, Issuer, or Expires values in the table. It will also show a Pending status because it is only a CSR at the moment and cannot function as a certificate just yet. You can download the CSR to provide to a CA for signing. If you open the CSR file, it should look similar to this:
    -----BEGIN CERTIFICATE REQUEST-----
    MIIC7jCCAdYCAQAwgZUxCzAJBgNVBAYT (… )HEKjDX+Hg==
    -----END CERTIFICATE REQUEST-----
    Next. the CSR file is supplied to a CA for signing and the returned file from the CA should be in .CER format. This file is then uploaded to the FortiGate by going to System > Certificates > Import > Local Certificate and uploading the CER file.
  • Online SCEP: the Simple Certificate Enrollment Protocol (SCEP) allows devices to enroll for a certificate by using a URL and a password. The SCEP server works as a proxy to forward the FortiGate’s request to the CA and returns the result to the FortiGate (setting up an SCEP server is beyond the scope of this topic). Once the request is approved by the SCEP server, the FortiGate will have a signed certificate containing the details provided in the CSR.

Import

Although Import is often used in conjunction with a CSR, you may upload a certificate to the FortiGate that was generated on its own. This is typical of wildcard certificates (*.domain.tld) where the same certificate is used across multiple devices (FGT.domain.tld, FAZ.domain.tld, and so on), but may be used for individual certificates so long as the information provided to the signing CA matches that of the FortiGate.

When selecting Import, there are four options: Local Certificate, CA Certificate, Remote Certificate, and CRL.

Local certificate

Local certificates are used by the FortiGate to identify itself, or a service it provides, such as HTTPS administrative access, SSL VPN user portal, or virtual server load balancing where the FortiGate masquerades as the destination server. When selecting Local Certificate, four certificate type options appear in the Import Certificate pane:

Local Certificate

There is no field to upload a key with this option.

Use this option when you have created a CSR on the FortiGate, as the key is generated as part of the CSR process and remains on the FortiGate. You will need to upload a .CER file.

PKCS #12 Certificate

This option takes a specific certificate file type that contains the private key. The certificate will be encrypted and a password must be supplied with the certificate file.

Certificate

This option is intended for certificates that were generated without using the FortiGate’s CSR. Since the certificate private key is being uploaded, a password is required. This can be done two ways:

  • Certificate file and key file (typically .CER and .PEM)

  • Certificate and key bundle file (typically .PFX)

Automated

This option allows you to configure the Automated Certificate Management Environment (ACME), which allows you to request and use trusted certificates signed by Let’s Encrypt (see ACME certificate support for configuration details).

CA certificate

FortiGates come with many CA certificates from well-known certificate authorities pre-installed, just as most modern operating systems like Windows and MacOS. Use this option to add private CA certificates to the FortiGate so that certificates signed by this private CA are trusted by the FortiGate.

For example, a private CA can be used when two FortiGates are establishing a site-to-site VPN tunnel using a certificate not signed by a public or trustworthy CA, or for your LDAPS connection to your corporate AD server that also uses a certificate signed with a private CA in your domain. It is very common to upload a private CA when using PKI user authentication, since most PKI user certificates will be signed by an internal CA.

When selecting CA Certificate, two type options appear in the Import CA Certificate pane:

Online SCEP

The FortiGate contacts an SCEP server to request the CA certificate.

File

The CA certificate is uploaded directly to the FortiGate.

Remote certificate

Remote certificates are public certificates and contain only the public key. They are used to identify a remote device. For example, when configuring your FortiGate for SAML authentication with the FortiGate as an identity provider (IdP), you can optionally specify the service provider (SP) certificate. However, when configuring your FortiGate as a SP, you must specify the certificate used by the IdP. Both these certificates can be uploaded to the FortiGate as a remote certificate, since the private key is not necessary for its implementation.

CRL

Since it is not possible to recall a certificate, the CRL (certificate revocation list) list details certificates signed by valid CAs that should no longer be trusted. Certificates may be revoked for many reasons, such as if the certificate was issued erroneously, or if the private key of a valid certificate has been compromised. When selecting CRL, two import methods are available:

File Based

CAs publish a file containing the list of certificates that should no longer be trusted.

Online Updating

This is the preferred way to keep the list of revoked certificates up to date. Three protocols are offered: HTTP, LDAP, and SCEP.

Uploading a certificate using the GUI

Uploading a certificate using the GUI

On the System > Certificates page, there are two options to add a certificate: Generate (use a certificate signing request) and Import.

Generate certificate signing request

Certificate signing requests (CSRs) are used to generate a certificate which is then signed by a CA to create a chain of trust. The CSR includes details of the FortiGate (see table below) and its public key. A CSR is not strictly necessary; some CAs allow you to provide the details of the FortiGate manually, but a CSR helps streamline the process. Selecting Generate takes you the Generate Certificate Signing Request page to enter the following information:

Certificate Name

Enter the certificate name; this is how it will appear in the Local Certificates list.

Subject Information

Specify an ID type: host IP address, domain name (FQDN), or email address.

Optional Information

Although listed as optional, we recommended entering the information for each field in this section.

If you are generating a CSR for a third-party CA, you need to insure that these values reflect those listed for your company or organization at said certificate authority. If you are generating a certificate for a Microsoft CA, you need to check with the administrator regarding these values.

Organization Unit

Enter the name of the organizational unit under which the certificate will be issued.

Organization

Enter the overall name of the organization.

Locality(City)

Enter the city where the SSL certificate is located.

State / Province

Some issuers will reject a CSR that has an abbreviated state or province, so enter the full name of the state or province.

Country / Region

Enable the option and select the country from the dropdown.

E-Mail

Enter the email address of the technical contact for the SSL certificate that is being requested.

Subject Alternative Name

This field allows multiple domains to be used in an SSL certificate. Select from email addresses, IP addresses, URIs, DNS names, and so on.

Password for private key

If supplied, this is used as an encryption password for the private key file.

Key Type

Select RSA or Elliptic Curve.

Key Size

When Key Type is RSA, select 1024, 1536, 2048, or 4096 for bit-size/strength. We recommend using at least 2048 if your CA can issue certificates of that size.

Curve Name

When Key Type is Elliptic Curve, select the elliptic curve type: secp256r1, secp384r1, or secp521r1.

Enrollment Method

Select one of the following methods that determines how the CSR will be signed.

  • File Based: this will generate a certificate in the certificate menu under Local Certificate, which differs from the existing ones because it has no Subject, Comments, Issuer, or Expires values in the table. It will also show a Pending status because it is only a CSR at the moment and cannot function as a certificate just yet. You can download the CSR to provide to a CA for signing. If you open the CSR file, it should look similar to this:
    -----BEGIN CERTIFICATE REQUEST-----
    MIIC7jCCAdYCAQAwgZUxCzAJBgNVBAYT (… )HEKjDX+Hg==
    -----END CERTIFICATE REQUEST-----
    Next. the CSR file is supplied to a CA for signing and the returned file from the CA should be in .CER format. This file is then uploaded to the FortiGate by going to System > Certificates > Import > Local Certificate and uploading the CER file.
  • Online SCEP: the Simple Certificate Enrollment Protocol (SCEP) allows devices to enroll for a certificate by using a URL and a password. The SCEP server works as a proxy to forward the FortiGate’s request to the CA and returns the result to the FortiGate (setting up an SCEP server is beyond the scope of this topic). Once the request is approved by the SCEP server, the FortiGate will have a signed certificate containing the details provided in the CSR.

Import

Although Import is often used in conjunction with a CSR, you may upload a certificate to the FortiGate that was generated on its own. This is typical of wildcard certificates (*.domain.tld) where the same certificate is used across multiple devices (FGT.domain.tld, FAZ.domain.tld, and so on), but may be used for individual certificates so long as the information provided to the signing CA matches that of the FortiGate.

When selecting Import, there are four options: Local Certificate, CA Certificate, Remote Certificate, and CRL.

Local certificate

Local certificates are used by the FortiGate to identify itself, or a service it provides, such as HTTPS administrative access, SSL VPN user portal, or virtual server load balancing where the FortiGate masquerades as the destination server. When selecting Local Certificate, four certificate type options appear in the Import Certificate pane:

Local Certificate

There is no field to upload a key with this option.

Use this option when you have created a CSR on the FortiGate, as the key is generated as part of the CSR process and remains on the FortiGate. You will need to upload a .CER file.

PKCS #12 Certificate

This option takes a specific certificate file type that contains the private key. The certificate will be encrypted and a password must be supplied with the certificate file.

Certificate

This option is intended for certificates that were generated without using the FortiGate’s CSR. Since the certificate private key is being uploaded, a password is required. This can be done two ways:

  • Certificate file and key file (typically .CER and .PEM)

  • Certificate and key bundle file (typically .PFX)

Automated

This option allows you to configure the Automated Certificate Management Environment (ACME), which allows you to request and use trusted certificates signed by Let’s Encrypt (see ACME certificate support for configuration details).

CA certificate

FortiGates come with many CA certificates from well-known certificate authorities pre-installed, just as most modern operating systems like Windows and MacOS. Use this option to add private CA certificates to the FortiGate so that certificates signed by this private CA are trusted by the FortiGate.

For example, a private CA can be used when two FortiGates are establishing a site-to-site VPN tunnel using a certificate not signed by a public or trustworthy CA, or for your LDAPS connection to your corporate AD server that also uses a certificate signed with a private CA in your domain. It is very common to upload a private CA when using PKI user authentication, since most PKI user certificates will be signed by an internal CA.

When selecting CA Certificate, two type options appear in the Import CA Certificate pane:

Online SCEP

The FortiGate contacts an SCEP server to request the CA certificate.

File

The CA certificate is uploaded directly to the FortiGate.

Remote certificate

Remote certificates are public certificates and contain only the public key. They are used to identify a remote device. For example, when configuring your FortiGate for SAML authentication with the FortiGate as an identity provider (IdP), you can optionally specify the service provider (SP) certificate. However, when configuring your FortiGate as a SP, you must specify the certificate used by the IdP. Both these certificates can be uploaded to the FortiGate as a remote certificate, since the private key is not necessary for its implementation.

CRL

Since it is not possible to recall a certificate, the CRL (certificate revocation list) list details certificates signed by valid CAs that should no longer be trusted. Certificates may be revoked for many reasons, such as if the certificate was issued erroneously, or if the private key of a valid certificate has been compromised. When selecting CRL, two import methods are available:

File Based

CAs publish a file containing the list of certificates that should no longer be trusted.

Online Updating

This is the preferred way to keep the list of revoked certificates up to date. Three protocols are offered: HTTP, LDAP, and SCEP.