Generating a CSR (Certificate Signing Request)
Whether you create certificates locally or obtain them from an external certificate service, you need to generate a Certificate Signing Request (CSR).
When a CSR is generated, a private and public key pair is created for FortiPAM. The generated request includes the public key of the device, and information such as the unit’s public static IP address, domain name, or email address. The device private key remains confidential on the unit.
After the request is submitted to a CA, the CA verifies the information and register the contact information on a digital certificate that contains a serial number, an expiration date, and the public key of the CA. The CA then signs the certificate, after which you can install the certificate on FortiPAM.
To generate a CSR:
- Go to System > Certificates.
- From +Create/Import, select Generate CSR.
The Generate Certificate Signing Request window opens.
- Enter the following information:
Certificate Name
Enter a unique name for the certificate request, such as the host name or the serial number of the device.
Do not include spaces in the certificate to ensure compatibility as a PKCS12 file.
Subject Information
ID Type
Select the ID type:
Host IP: Select if the unit has a static IP address. Enter the device IP address in the IP field (default).
Domain Name: Enter the device domain name or FQDN in the Domain Name field.
E-mail: Enter the email address of the device administrator in the E-mail field.
Optional Information
Optional information to further identify the device.
Organizational Unit
The name of the department.
Up to 5 OUs can be added.
Organization
The legal name of the company or organization.
Locality (City)
The name of the city where the unit is located.
State/Province
The name of the state or province where the unit is located.
Country/Region
Enable and then enter the country where the unit is located. Select from the dropdown.
The option is disabled by default.
E-mail
The contact email address.
Subject Alternative Name
One or more alternative names, separated by commas, for which the certificate is also valid.
An alternative name can be: email address, IP address, URI, DNS name, or a directory name.
Each name must be preceded by its type, for example: IP:
1.2.3.4
, or URL:http://your.url.here/
.Password for private key
The password for the private key.
Key Type
Select RSA or Elliptic Curve.
Note: The default is RSA.
Key Size
If you selected RSA for the Key Type, select the Key size: 1024 Bit, 1536 Bit, 2048 Bit (default), or 4096 Bit.
Larger key sizes are more secure but slower to generate.
If you selected Elliptic Curve for the Key Type, select the Curve Name: secp256r1 (default), secp384r1, or secp521r1.
Enrollment Method
Select the enrollment method.
File Based: Generate the certificate request (default).
Online SCEP: Obtain a signed, Simple Certificate Enrollment Protocol (SCEP) based certificate automatically over the network. Enter the CA server URL and challenge password in their respective fields.
- Click OK.