Fortinet black logo

Administration Guide

Home FortiPAM 1.0.0 Administration Guide
1.0.0
1.3.0
1.2.0
1.1.2
1.1.1
1.1.0
1.0.3
1.0.2
1.0.1
1.0.0

Generating a CSR (Certificate Signing Request)

Generating a CSR (Certificate Signing Request)

Whether you create certificates locally or obtain them from an external certificate service, you need to generate a Certificate Signing Request (CSR).

When a CSR is generated, a private and public key pair is created for FortiPAM. The generated request includes the public key of the device, and information such as the unit’s public static IP address, domain name, or email address. The device private key remains confidential on the unit.

After the request is submitted to a CA, the CA verifies the information and register the contact information on a digital certificate that contains a serial number, an expiration date, and the public key of the CA. The CA then signs the certificate, after which you can install the certificate on FortiPAM.

To generate a CSR:
  1. Go to System > Certificates.
  2. From +Create/Import, select Generate CSR.

    The Generate Certificate Signing Request window opens.

  3. Enter the following information:

    Certificate Name

    Enter a unique name for the certificate request, such as the host name or the serial number of the device.

    Do not include spaces in the certificate to ensure compatibility as a PKCS12 file.

    Subject Information

    ID Type

    Select the ID type:

    • Host IP: Select if the unit has a static IP address. Enter the device IP address in the IP field (default).

    • Domain Name: Enter the device domain name or FQDN in the Domain Name field.

    • E-mail: Enter the email address of the device administrator in the E-mail field.

    Optional Information

    Optional information to further identify the device.

    Organizational Unit

    The name of the department.

    Up to 5 OUs can be added.

    Organization

    The legal name of the company or organization.

    Locality (City)

    The name of the city where the unit is located.

    State/Province

    The name of the state or province where the unit is located.

    Country/Region

    Enable and then enter the country where the unit is located. Select from the dropdown.

    The option is disabled by default.

    E-mail

    The contact email address.

    Subject Alternative Name

    One or more alternative names, separated by commas, for which the certificate is also valid.

    An alternative name can be: email address, IP address, URI, DNS name, or a directory name.

    Each name must be preceded by its type, for example: IP:1.2.3.4, or URL: http://your.url.here/.

    Password for private key

    The password for the private key.

    Key Type

    Select RSA or Elliptic Curve.

    Note: The default is RSA.

    Key Size

    If you selected RSA for the Key Type, select the Key size: 1024 Bit, 1536 Bit, 2048 Bit (default), or 4096 Bit.

    Larger key sizes are more secure but slower to generate.

    If you selected Elliptic Curve for the Key Type, select the Curve Name: secp256r1 (default), secp384r1, or secp521r1.

    Enrollment Method

    Select the enrollment method.

    • File Based: Generate the certificate request (default).

    • Online SCEP: Obtain a signed, Simple Certificate Enrollment Protocol (SCEP) based certificate automatically over the network. Enter the CA server URL and challenge password in their respective fields.

  4. Click OK.
Previous
Next

Generating a CSR (Certificate Signing Request)

Whether you create certificates locally or obtain them from an external certificate service, you need to generate a Certificate Signing Request (CSR).

When a CSR is generated, a private and public key pair is created for FortiPAM. The generated request includes the public key of the device, and information such as the unit’s public static IP address, domain name, or email address. The device private key remains confidential on the unit.

After the request is submitted to a CA, the CA verifies the information and register the contact information on a digital certificate that contains a serial number, an expiration date, and the public key of the CA. The CA then signs the certificate, after which you can install the certificate on FortiPAM.

To generate a CSR:
  1. Go to System > Certificates.
  2. From +Create/Import, select Generate CSR.

    The Generate Certificate Signing Request window opens.

  3. Enter the following information:

    Certificate Name

    Enter a unique name for the certificate request, such as the host name or the serial number of the device.

    Do not include spaces in the certificate to ensure compatibility as a PKCS12 file.

    Subject Information

    ID Type

    Select the ID type:

    • Host IP: Select if the unit has a static IP address. Enter the device IP address in the IP field (default).

    • Domain Name: Enter the device domain name or FQDN in the Domain Name field.

    • E-mail: Enter the email address of the device administrator in the E-mail field.

    Optional Information

    Optional information to further identify the device.

    Organizational Unit

    The name of the department.

    Up to 5 OUs can be added.

    Organization

    The legal name of the company or organization.

    Locality (City)

    The name of the city where the unit is located.

    State/Province

    The name of the state or province where the unit is located.

    Country/Region

    Enable and then enter the country where the unit is located. Select from the dropdown.

    The option is disabled by default.

    E-mail

    The contact email address.

    Subject Alternative Name

    One or more alternative names, separated by commas, for which the certificate is also valid.

    An alternative name can be: email address, IP address, URI, DNS name, or a directory name.

    Each name must be preceded by its type, for example: IP:1.2.3.4, or URL: http://your.url.here/.

    Password for private key

    The password for the private key.

    Key Type

    Select RSA or Elliptic Curve.

    Note: The default is RSA.

    Key Size

    If you selected RSA for the Key Type, select the Key size: 1024 Bit, 1536 Bit, 2048 Bit (default), or 4096 Bit.

    Larger key sizes are more secure but slower to generate.

    If you selected Elliptic Curve for the Key Type, select the Curve Name: secp256r1 (default), secp384r1, or secp521r1.

    Enrollment Method

    Select the enrollment method.

    • File Based: Generate the certificate request (default).

    • Online SCEP: Obtain a signed, Simple Certificate Enrollment Protocol (SCEP) based certificate automatically over the network. Enter the CA server URL and challenge password in their respective fields.

  4. Click OK.
Previous
Next