Fortinet black logo

Control Manager

Home FortiNAC 8.5.0 Control Manager
8.5.0
8.8.0
8.7.0
8.6.0
8.5.0
8.3.0

Obtain a valid SSL certificate from a CA

Obtain a valid SSL certificate from a CA

If you do not have a certificate, you must obtain a certificate from a CA.

To obtain a Valid Third Party SSL Certificate from a CA, you must generate a CSR and send it to the CA.

To generate a CSR, and Self-Signed Certificate:

  1. Select System > Settings

  2. Expand the Security folder.

  3. Select Certificate Management from the tree.

  4. Click Generate CSR.

  5. Select the certificate target (the type of certificate you want to generate).

    • Select Admin UI to generate a CSR for the administrative user interface.

    • Select Persistent Agent to generate a CSR for the PA communications.

    • Select Portal to generate a CSR to secure the captive portal and DA communications.

    • Select RADIUS Server to generate a CSR for integrated FortiNAC RADIUS server set to use 802.1x and PEAP.

    The Private Key that corresponds with the CSR is stored on the appliance. Once the SSL Certificate is uploaded, to view the Private Key, click the Details button and select the Private Key tab.

  6. Enter the Common Name (Fully-Qualified Host Name). This is the Host Name to be secured by the certificate. If generating a wildcard CSR, enter the desired domain specifying the wildcard in the Common Name Field (Example: *.bradfordnetworks.com).

  7. Enter the Subject Alternative Names (leave blank if not requesting a SAN certificate). Click Add to enter each additional host name and/or ip address.

  8. Enter the remaining information for the certificate in the dialog box.

    • Organization: The name of the server's organization.

    • Organizational Unit: The name of the server's unit (department).

    • Locality (City): The city where the server is located.

    • State/Province: The state/province where the server is located.

    • 2 Letter Country Code: The country code where the server is located.

  9. Click OK to generate the CSR.

  10. Copy the section with the certificate request to include the following:

    -----BEGIN CERTIFICATE REQUEST-----

    ...Certificate Request Data...

    -----END CERTIFICATE REQUEST-----

  11. Paste it into a text file, and save the file with a .txt extension. Note the location of this file on your PC.

    Make sure there are no spaces, characters or carriage returns added to the Certificate Request.

  12. Send the Certificate Request file to the CA to request a Valid SSL Certificate.

Important notes:

  • Do not click OK in the Generate CSR screen after saving the Certificate Request file and sending to the CA. Each time OK is clicked on the Generate CSR screen, a new CSR and private key are created, overwriting any previous private key. Consequently, if a Certificate Request file has been submitted to the CA, and the OK button has been clicked since the original Certificate Request was generated, the returned certificate will not match the current private key, and a new request will have to be issued and sent to the CA.

  • Not all Certificate Authorities ask for the same information when requesting a certificate. For example, some CA's ask for a server type (apache, etc) while others do not. FortiNAC requires a non-encrypted certificate in one of the following formats:
    • PEM
    • DER
    • PKCS#7
    • P7B

    This will allow the certificate to be applied to any of the desired components.

    If the certificate is in PEM format, opening the certificate in a text editor should look something like the following format:

    -----BEGIN CERTIFICATE1-----

    fjkghwjernlsfuigylerkjlkfjnu23jnlkjbliu5ghl6kh4

    fjkjlkfjnu23jnlkjbliu5ghl6khkghwjernlsfuigyler4

    ghwjernlsfuigylerkjlkfjnu23jnlkjbliu5fjkghl6kh4

    -----END CERTIFICTATE1-----

    -----BEGIN CERTIFICATE2----

    fjkghwjernlsfuigylerkjlkfjnu23jnlkjbliu5ghl6kh4

    fjkjlkfjnu23jnlkjbliu5ghl6khkghwjernlsfuigyler4

    ghwjernlsfuigylerkjlkfjnu23jnlkjbliu5fjkghl6kh4

    -----END CERTIFCATE2-----

  • Certificate requests generated on FortiNAC use the SHA1 RSA encryption signature. However, certificates with SHA2 encryption can be requested using this CSR.

  • Agent versions prior to 3.1.5 are not compatible with SHA2. Contact Support to verify appropriate SHA version based on current deployment.

Select Admin UI to generate a CSR for the administrative user interface.

The Private Key that corresponds with the CSR is stored on the appliance. Once the SSL Certificate is uploaded, to view the Private Key, click the Details button and select the Private Key tab.

Previous
Next

Obtain a valid SSL certificate from a CA

If you do not have a certificate, you must obtain a certificate from a CA.

To obtain a Valid Third Party SSL Certificate from a CA, you must generate a CSR and send it to the CA.

To generate a CSR, and Self-Signed Certificate:

  1. Select System > Settings

  2. Expand the Security folder.

  3. Select Certificate Management from the tree.

  4. Click Generate CSR.

  5. Select the certificate target (the type of certificate you want to generate).

    • Select Admin UI to generate a CSR for the administrative user interface.

    • Select Persistent Agent to generate a CSR for the PA communications.

    • Select Portal to generate a CSR to secure the captive portal and DA communications.

    • Select RADIUS Server to generate a CSR for integrated FortiNAC RADIUS server set to use 802.1x and PEAP.

    The Private Key that corresponds with the CSR is stored on the appliance. Once the SSL Certificate is uploaded, to view the Private Key, click the Details button and select the Private Key tab.

  6. Enter the Common Name (Fully-Qualified Host Name). This is the Host Name to be secured by the certificate. If generating a wildcard CSR, enter the desired domain specifying the wildcard in the Common Name Field (Example: *.bradfordnetworks.com).

  7. Enter the Subject Alternative Names (leave blank if not requesting a SAN certificate). Click Add to enter each additional host name and/or ip address.

  8. Enter the remaining information for the certificate in the dialog box.

    • Organization: The name of the server's organization.

    • Organizational Unit: The name of the server's unit (department).

    • Locality (City): The city where the server is located.

    • State/Province: The state/province where the server is located.

    • 2 Letter Country Code: The country code where the server is located.

  9. Click OK to generate the CSR.

  10. Copy the section with the certificate request to include the following:

    -----BEGIN CERTIFICATE REQUEST-----

    ...Certificate Request Data...

    -----END CERTIFICATE REQUEST-----

  11. Paste it into a text file, and save the file with a .txt extension. Note the location of this file on your PC.

    Make sure there are no spaces, characters or carriage returns added to the Certificate Request.

  12. Send the Certificate Request file to the CA to request a Valid SSL Certificate.

Important notes:

  • Do not click OK in the Generate CSR screen after saving the Certificate Request file and sending to the CA. Each time OK is clicked on the Generate CSR screen, a new CSR and private key are created, overwriting any previous private key. Consequently, if a Certificate Request file has been submitted to the CA, and the OK button has been clicked since the original Certificate Request was generated, the returned certificate will not match the current private key, and a new request will have to be issued and sent to the CA.

  • Not all Certificate Authorities ask for the same information when requesting a certificate. For example, some CA's ask for a server type (apache, etc) while others do not. FortiNAC requires a non-encrypted certificate in one of the following formats:
    • PEM
    • DER
    • PKCS#7
    • P7B

    This will allow the certificate to be applied to any of the desired components.

    If the certificate is in PEM format, opening the certificate in a text editor should look something like the following format:

    -----BEGIN CERTIFICATE1-----

    fjkghwjernlsfuigylerkjlkfjnu23jnlkjbliu5ghl6kh4

    fjkjlkfjnu23jnlkjbliu5ghl6khkghwjernlsfuigyler4

    ghwjernlsfuigylerkjlkfjnu23jnlkjbliu5fjkghl6kh4

    -----END CERTIFICTATE1-----

    -----BEGIN CERTIFICATE2----

    fjkghwjernlsfuigylerkjlkfjnu23jnlkjbliu5ghl6kh4

    fjkjlkfjnu23jnlkjbliu5ghl6khkghwjernlsfuigyler4

    ghwjernlsfuigylerkjlkfjnu23jnlkjbliu5fjkghl6kh4

    -----END CERTIFCATE2-----

  • Certificate requests generated on FortiNAC use the SHA1 RSA encryption signature. However, certificates with SHA2 encryption can be requested using this CSR.

  • Agent versions prior to 3.1.5 are not compatible with SHA2. Contact Support to verify appropriate SHA version based on current deployment.

Select Admin UI to generate a CSR for the administrative user interface.

The Private Key that corresponds with the CSR is stored on the appliance. Once the SSL Certificate is uploaded, to view the Private Key, click the Details button and select the Private Key tab.

Previous
Next