The certificate templates menu allows you to create certificate templates for an external certificate authority (CA) or the local FortiManager CA.
FortiManager includes a certificate authority server for each ADOM. When you create an ADOM, the private and public key pair is created for the ADOM. The key pair is automatically used when you use FortiManager to define IPsec VPNs or SSL-VPNs for a device.
When you add a device to an IPsec VPN or SSL-VPN topology with a certificate template that uses the FortiManager CA, the local FortiManager CA is automatically used. No request for a pre-shared key (PSK) is generated. When the IPsec VPN or SSL-VPN topology is installed to the device, the following process completes automatically:
- The FortiGate device generates a certificate signing request (CSR) file.
- FortiManager signs the CSR file and installs the CSR file on the FortiGate device.
- The CA certificate with public key is installed on the FortiGate device.
Certificate templates are available in 5.0, 5.2, 5.4 and later ADOMs. Some settings may not be available in all ADOM versions.
The following options are available:
Create a new certificate template.
Edit a certificate template. Right-click a certificate template, and select Edit.
Delete a certificate template. Right-click a certificate template, and select Delete.
Create a new certificate from a device.
To create a new certificate template:
- Go to Device Manager > Provisioning Templates > Certificate Templates.
- Click Create New. The Create New Certificate Template pane opens.
- Enter the following information, then click OK to create the certificate template:
Specify whether the certificate uses an external or local certificate authority (CA).
When you select External, you must specify details about online SCEP enrollment.
When you select Local, you are using the FortiManager CA server.
Type a name for the certificate.
Optionally, type the organization unit, organization, locality (city), province or state, country or region, and email address.
RSA is the default key type. This field cannot be edited.
Select the key size from the dropdown list: 512 bit, 1024 bit, 1536 bit, or 2048 bit.
Online SCEP Enrollment
These options are only available when the certificate type is External.
CA Server URL
Type the server URL for the external CA.
Type the challenge password for the external CA server.
To edit a certificate template:
- Select a certificate template, and click Edit.
- Edit the settings as required in the Edit Certificate Template pane, and click OK.
To delete a certificate template:
- Select a certificate template, and click Delete.
- Click OK in the confirmation dialog box.