Fortinet white logo
Fortinet white logo

Administration Guide

Certificate templates

Certificate templates

The certificate templates menu allows you to create certificate templates for an external certificate authority (CA) or the local FortiManager CA.

FortiManager includes a certificate authority server for each ADOM. When you create an ADOM, the private and public key pair is created for the ADOM. The key pair is automatically used when you use FortiManager to define IPsec VPNs or SSL-VPNs for a device.

When you add a device to an IPsec VPN or SSL-VPN topology with a certificate template that uses the FortiManager CA, the local FortiManager CA is automatically used. No request for a pre-shared key (PSK) is generated. When the IPsec VPN or SSL-VPN topology is installed to the device, the following process completes automatically:

  • The FortiGate device generates a certificate signing request (CSR) file.
  • FortiManager signs the CSR file and installs the CSR file on the FortiGate device.
  • The CA certificate with public key is installed on the FortiGate device.

Some settings may not be available in all ADOM versions.

The following options are available:

Create New

Create a new certificate template.

Edit

Edit a certificate template. Right-click a certificate template, and select Edit.

Delete

Delete a certificate template. Right-click a certificate template, and select Delete.

Generate

Create a new certificate from a device.

To create a new certificate template:
  1. Go to Device Manager > Provisioning Templates > Certificate Templates.
  2. Click Create New. The Create New Certificate Template pane opens.
  3. Enter the following information, then click OK to create the certificate template:

    Type

    Specify whether the certificate uses an external or local certificate authority (CA).

    When you select External, you must specify details about online SCEP enrollment.

    When you select Local, you are using the FortiManager CA server.

    Certificate Name

    Type a name for the certificate.

    Optional Information

    Optionally, type the organization unit, organization, locality (city), province or state, country or region, and email address.

    Key Type

    RSA is the default key type. This field cannot be edited.

    Key Size

    Select the key size from the dropdown list: 512 bit, 1024 bit, 1536 bit, or 2048 bit.

    Online SCEP Enrollment

    These options are only available when the certificate type is External.

    CA Server URL

    Type the server URL for the external CA.

    Challenge Password

    Type the challenge password for the external CA server.

To edit a certificate template:
  1. Select a certificate template, and click Edit.

  2. Edit the settings as required in the Edit Certificate Template pane, and click OK.

To delete a certificate template:
  1. Select a certificate template, and click Delete.

  2. Click OK in the confirmation dialog box.

To renew a certificate which uses FortiManager as the CA:
  1. Right click on the certificate template used to generate the certificate.

  2. Select Generate.

  3. On the next install, the device will receive a new certificate.

Certificate templates

Certificate templates

The certificate templates menu allows you to create certificate templates for an external certificate authority (CA) or the local FortiManager CA.

FortiManager includes a certificate authority server for each ADOM. When you create an ADOM, the private and public key pair is created for the ADOM. The key pair is automatically used when you use FortiManager to define IPsec VPNs or SSL-VPNs for a device.

When you add a device to an IPsec VPN or SSL-VPN topology with a certificate template that uses the FortiManager CA, the local FortiManager CA is automatically used. No request for a pre-shared key (PSK) is generated. When the IPsec VPN or SSL-VPN topology is installed to the device, the following process completes automatically:

  • The FortiGate device generates a certificate signing request (CSR) file.
  • FortiManager signs the CSR file and installs the CSR file on the FortiGate device.
  • The CA certificate with public key is installed on the FortiGate device.

Some settings may not be available in all ADOM versions.

The following options are available:

Create New

Create a new certificate template.

Edit

Edit a certificate template. Right-click a certificate template, and select Edit.

Delete

Delete a certificate template. Right-click a certificate template, and select Delete.

Generate

Create a new certificate from a device.

To create a new certificate template:
  1. Go to Device Manager > Provisioning Templates > Certificate Templates.
  2. Click Create New. The Create New Certificate Template pane opens.
  3. Enter the following information, then click OK to create the certificate template:

    Type

    Specify whether the certificate uses an external or local certificate authority (CA).

    When you select External, you must specify details about online SCEP enrollment.

    When you select Local, you are using the FortiManager CA server.

    Certificate Name

    Type a name for the certificate.

    Optional Information

    Optionally, type the organization unit, organization, locality (city), province or state, country or region, and email address.

    Key Type

    RSA is the default key type. This field cannot be edited.

    Key Size

    Select the key size from the dropdown list: 512 bit, 1024 bit, 1536 bit, or 2048 bit.

    Online SCEP Enrollment

    These options are only available when the certificate type is External.

    CA Server URL

    Type the server URL for the external CA.

    Challenge Password

    Type the challenge password for the external CA server.

To edit a certificate template:
  1. Select a certificate template, and click Edit.

  2. Edit the settings as required in the Edit Certificate Template pane, and click OK.

To delete a certificate template:
  1. Select a certificate template, and click Delete.

  2. Click OK in the confirmation dialog box.

To renew a certificate which uses FortiManager as the CA:
  1. Right click on the certificate template used to generate the certificate.

  2. Select Generate.

  3. On the next install, the device will receive a new certificate.