Creating a certificate
To create a certificate
- Go to System > Certificates.
- From +Create/Import, select Certificate.
The Create Certificate wizard opens.
- Enter the following information:
Choose Method
Automatically Provision Certificate
Select Use Let's Encrypt to automatically create a certificate using the ACME protocol with Let's Encrypt service.
You will need to enable DDNS or purchase a domain.
Generate New Certificate
Select Generate Certificate to generate a certificate using the self-signed
Fortinet_CA_SSL
CA.Using a server certificate from a trusted CA is strongly recommended.
Import Certificate
Select Import Certificate to import an existing certificate by uploading the file.
Certificate Details
Enter the certificate details and click Create to create a certificate.
Automatically Provision Certificate
The certificate will be automatically provisioned using the ACME protocol with the Let's Encrypt service. It is the easiest way to install a trusted certificate.
Certificate name
The name of the certificate.
Domain
The public FQDN of FortiPAM.
Note: The option is only available when the Chosen Method is Automatically Provision Certificate.
Email
The email address.
Note: The option is only available when the Chosen Method is Automatically Provision Certificate.
Set ACME Interface
If this is the first time enrolling a server certificate with Let's Encrypt on this FortiPAM unit, the Set ACME Interface pane opens.
Note: The options in the pane are only available when the Chosen Method is Automatically Provision Certificate.
ACME Interface
Select + and from Select Entries, select ports, or create new interfaces on which the ACME client will listen for challenges to provision and renew certificates.
Click OK when you have selected interfaces.
Use the search bar to look for an interface.
Use the pen icon next to the interface to edit it.
Generate New Certificate
Certificate authority
The certificate authority.
Note: The option is only available when the Chosen Method is Generate New Certificate.
Common name
The common name of the certificate. Enter an FQDN or an IPv4 address.
The common name should match the FQDN or the IP address of the primary SSL-VPN interface.
Note: The option is only available when the Chosen Method is Generate New Certificate.
Subject alternative name
An IP address or FQDN.
Subject alternative names (SAN) allow you to protect multiple host names with a single SSL certificate. SAN is part of the X.509 certificate standard.
Note: The option is only available when the Chosen Method is Generate New Certificate.
Update Your List of Trusted Certificate Authorities
Select Download CA Certificate to download
Fortinet_CA_SSL
CA to your computer.Fortinet_CA_SSL
is a local CA certificate. To avoid certificate warnings, you must download it and install it on each client machine.Note: The option is only available when the Chosen Method is Generate New Certificate.
Import Certificate
Type
Select from the following three options:
Local Certificate
PKCS #12 Certificate
Certificate
Note: The option is only available when the Chosen Method is Import Certificate.
Certificate file
Select +Upload and locate the certificate file on your local computer.
Note: The option is only available when the Chosen Method is Import Certificate and the Type is either Local Certificate or Certificate.
Certificate with key file
Select +Upload and locate the certificate with key file on your local computer.
Note: The option is only available when the Chosen Method is Import Certificate and the Type is PKCS #12 Certificate.
Password
Enter the password.
Note: The option is only available when the Chosen Method is Import Certificate and the Type is either PKCS #12 Certificate or Certificate.
Confirm Password
Reenter the password to confirm.
Note: The option is only available when the Chosen Method is Import Certificate and the Type is PKCS #12 Certificate or Certificate.
Key file
Select +Upload and locate the key file on your local computer.
Note: The option is only available when the Chosen Method is Import Certificate and the Type is Certificate.
Review
Enable ACME log to see logs related to the certificate created using the ACME protocol.
Note: The option is only available when Chosen Method is Automatically Provision Certificate.
Update Your List of Trusted Certificate Authorities
If you have not already downloaded the
Fortinet_CA_SSL
CA to your computer, select Download CA Certificate to download it.Note: The option is only available when the Chosen Method is Generate New Certificate.
- Click OK.