Fortinet black logo

Administration Guide

Generating a certificate signing request

Generating a certificate signing request

Many commercial certificate authorities (CAs) provide a website where you can generate your own certificate signing request (CSR). A CSR is an unsigned certificate file that the CA signs. When you generate a CSR, the associated private key that the appliance uses to sign and/or encrypt connections with clients is also generated.

If your CA does not provide this, or if you have your own private CA such as a Linux server with OpenSSL, you can use the appliance to generate a CSR and private key. Then, you can submit this CSR for verification and signing by the CA.

To generate a certificate request
  1. Go to Server Objects > Certificates > Local.
    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.
  2. Click Generate.
  3. Configure these settings to complete the certificate signing request:
  4. Certification Name Enter a unique name for the certificate request, such as www.example.com. This can be the name of your website.
    Subject Information Includes information that the certificate is required to contain in order to uniquely identify the FortiWeb appliance. This area varies depending on the ID Type selection.
    ID Type

    Select the type of identifier to use in the certificate to identify the FortiWeb appliance:

    • Host IP—Select if the FortiWeb appliance has a static IP address and enter the public IP address of the FortiWeb appliance in the IP field. If the FortiWeb appliance does not have a public IP address, use E-mail or Domain Name instead.
    • Domain Name—Select if the FortiWeb appliance has a static IP address and subscribes to a dynamic DNS service. Enter the FQDN of the FortiWeb appliance, such as www.example.com, in the Domain Name field. Do not include the protocol specification (HTTP://) or any port number or path names.
    • E-Mail—Select and enter the email address of the owner of the FortiWeb appliance in the e-mail field. Use this if the appliance does not require either a static IP address or a domain name.

    The type you should select varies by whether or not your FortiWeb appliance has a static IP address, a fully-qualified domain name (FQDN), and by the primary intended use of the certificate.

    For example, if your FortiWeb appliance has both a static IP address and a domain name, but you will primarily use the local certificate for HTTPS connections to the web UI by the domain name of the FortiWeb appliance, you might prefer to generate a certificate based upon the domain name of the FortiWeb appliance, rather than its IP address.

    Depending on your choice for ID Type, related options appear.

    IP

    Type the static IP address of the FortiWeb appliance, such as 192.0.2.123.

    The IP address should be the one that is visible to clients. Usually, this should be its public IP address on the Internet, or a virtual IP that you use NAT to map to the appliance’s IP address on your private network.

    This option appears only if ID Type is Host IP.

    Domain Name

    Type the fully qualified domain name (FQDN) of the FortiWeb appliance, such as www.example.com.

    The domain name must resolve to the static IP address of the FortiWeb appliance or protected server. For details, see Configuring the network interfaces.

    This option appears only if ID Type is Domain Name.

    E-mail

    Type the email address of the owner of the FortiWeb appliance, such as admin@example.com.

    This option appears only if ID Type is E-Mail.

    Optional Information Includes information that you may include in the certificate, but which is not required.
    Organization unit

    Type the name of your organizational unit (OU), such as the name of your department. This is optional.

    To enter more than one OU name, click the + icon, and enter each OU separately in each field.

    Organization Type the legal name of your organization. This is optional.
    Locality(City) Type the name of the city or town where the FortiWeb appliance is located. This is optional.
    State/Province Type the name of the state or province where the FortiWeb appliance is located. This is optional.
    Country/Region Select the name of the country where the FortiWeb appliance is located. This is optional.
    e-mail

    Type an email address that may be used for contact purposes, such as admin@example.com.

    This is optional.

    Subject Alternative Names Type the Subject Alternative Names to specify additional host names (sites, IP addresses, common names, etc.) to be protected by a single TLS certificate
    Key Type

    Displays the type of algorithm used to generate the key.

    This option cannot be changed, but appears in order to indicate that only RSA is currently supported.

    Key Size Select a secure key size of 1024 Bit, 1536 Bit or 2048 Bit. Larger keys are slower to generate, but provide better security.

    Digest Algorithm

    Select whether to use SHA1 or SHA256 algorithm to generate the certificate signing request (CSR).

    HSM Select if the private key for the connections is provided by an HSM instead of FortiWeb.

    Available only if you have enabled HSM settings using the config system global command.

    For details, see Generating a certificate signing request.
    Partition Name

    Enter the name of a partition where the private key for this certificate is located on the HSM.

    Available only if Generating a certificate signing request is selected.

    If you have enable HSM HA mode, then this option is greyed out because the system will automatically get all the partitions associated with FortiWeb on the HSM HA servers.

    Enrollment Method

    Select either:

    • File Based—You must manually download and submit the resulting certificate request file to a certificate authority (CA) for signing. Once signed, upload the local certificate.
    • Online SCEP—The FortiWeb appliance will automatically use HTTP to submit the request to the simple certificate enrollment protocol (SCEP) server of a CA, which will validate and sign the certificate. For this selection, two options appear. Enter the CA Server URL and the Challenge Password.

      Not available if Generating a certificate signing request is selected.
  5. Click OK.
  6. The FortiWeb appliance creates a private and public key pair. The generated request includes the public key of the FortiWeb appliance and information such as the FortiWeb appliance’s IP address, domain name, or email address. The FortiWeb appliance’s private key remains confidential on the FortiWeb appliance. The Status column of the entry is PENDING.

    If you configured your CSR to work with the FortiWeb HSM configuration, the CSR generation process creates a private key both on the HSM and on FortiWeb. The private key on the HSM is used to secure communication when FortiWeb uses the certificate. The FortiWeb private key is used when you upload the certificate to FortiWeb.

  7. Select the row that corresponds to the certificate request.
  8. Click Download.
  9. Standard dialogs appear with buttons to save the file at a location you select. Your web browser downloads the certificate request .csr file. Time required varies by the size of the file and the speed of your network connection.

  10. Upload the certificate request to your CA.
  11. After you submit the request to a CA, the CA will verify the information in the certificate, give it a serial number, an expiration date, and sign it with the public key of the CA.

  12. If you are not using a commercial CA whose root certificate is already installed by default on web browsers, download your CA’s root certificate, then install it on all computers that will be connecting to your appliance. If you do not install these, those computers may not trust your new certificate.
  13. When you receive the signed certificate from the CA, upload the certificate to the FortiWeb appliance. For details, see Generating a certificate signing request.

Generating a certificate signing request

Generating a certificate signing request

Many commercial certificate authorities (CAs) provide a website where you can generate your own certificate signing request (CSR). A CSR is an unsigned certificate file that the CA signs. When you generate a CSR, the associated private key that the appliance uses to sign and/or encrypt connections with clients is also generated.

If your CA does not provide this, or if you have your own private CA such as a Linux server with OpenSSL, you can use the appliance to generate a CSR and private key. Then, you can submit this CSR for verification and signing by the CA.

To generate a certificate request
  1. Go to Server Objects > Certificates > Local.
    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.
  2. Click Generate.
  3. Configure these settings to complete the certificate signing request:
  4. Certification Name Enter a unique name for the certificate request, such as www.example.com. This can be the name of your website.
    Subject Information Includes information that the certificate is required to contain in order to uniquely identify the FortiWeb appliance. This area varies depending on the ID Type selection.
    ID Type

    Select the type of identifier to use in the certificate to identify the FortiWeb appliance:

    • Host IP—Select if the FortiWeb appliance has a static IP address and enter the public IP address of the FortiWeb appliance in the IP field. If the FortiWeb appliance does not have a public IP address, use E-mail or Domain Name instead.
    • Domain Name—Select if the FortiWeb appliance has a static IP address and subscribes to a dynamic DNS service. Enter the FQDN of the FortiWeb appliance, such as www.example.com, in the Domain Name field. Do not include the protocol specification (HTTP://) or any port number or path names.
    • E-Mail—Select and enter the email address of the owner of the FortiWeb appliance in the e-mail field. Use this if the appliance does not require either a static IP address or a domain name.

    The type you should select varies by whether or not your FortiWeb appliance has a static IP address, a fully-qualified domain name (FQDN), and by the primary intended use of the certificate.

    For example, if your FortiWeb appliance has both a static IP address and a domain name, but you will primarily use the local certificate for HTTPS connections to the web UI by the domain name of the FortiWeb appliance, you might prefer to generate a certificate based upon the domain name of the FortiWeb appliance, rather than its IP address.

    Depending on your choice for ID Type, related options appear.

    IP

    Type the static IP address of the FortiWeb appliance, such as 192.0.2.123.

    The IP address should be the one that is visible to clients. Usually, this should be its public IP address on the Internet, or a virtual IP that you use NAT to map to the appliance’s IP address on your private network.

    This option appears only if ID Type is Host IP.

    Domain Name

    Type the fully qualified domain name (FQDN) of the FortiWeb appliance, such as www.example.com.

    The domain name must resolve to the static IP address of the FortiWeb appliance or protected server. For details, see Configuring the network interfaces.

    This option appears only if ID Type is Domain Name.

    E-mail

    Type the email address of the owner of the FortiWeb appliance, such as admin@example.com.

    This option appears only if ID Type is E-Mail.

    Optional Information Includes information that you may include in the certificate, but which is not required.
    Organization unit

    Type the name of your organizational unit (OU), such as the name of your department. This is optional.

    To enter more than one OU name, click the + icon, and enter each OU separately in each field.

    Organization Type the legal name of your organization. This is optional.
    Locality(City) Type the name of the city or town where the FortiWeb appliance is located. This is optional.
    State/Province Type the name of the state or province where the FortiWeb appliance is located. This is optional.
    Country/Region Select the name of the country where the FortiWeb appliance is located. This is optional.
    e-mail

    Type an email address that may be used for contact purposes, such as admin@example.com.

    This is optional.

    Subject Alternative Names Type the Subject Alternative Names to specify additional host names (sites, IP addresses, common names, etc.) to be protected by a single TLS certificate
    Key Type

    Displays the type of algorithm used to generate the key.

    This option cannot be changed, but appears in order to indicate that only RSA is currently supported.

    Key Size Select a secure key size of 1024 Bit, 1536 Bit or 2048 Bit. Larger keys are slower to generate, but provide better security.

    Digest Algorithm

    Select whether to use SHA1 or SHA256 algorithm to generate the certificate signing request (CSR).

    HSM Select if the private key for the connections is provided by an HSM instead of FortiWeb.

    Available only if you have enabled HSM settings using the config system global command.

    For details, see Generating a certificate signing request.
    Partition Name

    Enter the name of a partition where the private key for this certificate is located on the HSM.

    Available only if Generating a certificate signing request is selected.

    If you have enable HSM HA mode, then this option is greyed out because the system will automatically get all the partitions associated with FortiWeb on the HSM HA servers.

    Enrollment Method

    Select either:

    • File Based—You must manually download and submit the resulting certificate request file to a certificate authority (CA) for signing. Once signed, upload the local certificate.
    • Online SCEP—The FortiWeb appliance will automatically use HTTP to submit the request to the simple certificate enrollment protocol (SCEP) server of a CA, which will validate and sign the certificate. For this selection, two options appear. Enter the CA Server URL and the Challenge Password.

      Not available if Generating a certificate signing request is selected.
  5. Click OK.
  6. The FortiWeb appliance creates a private and public key pair. The generated request includes the public key of the FortiWeb appliance and information such as the FortiWeb appliance’s IP address, domain name, or email address. The FortiWeb appliance’s private key remains confidential on the FortiWeb appliance. The Status column of the entry is PENDING.

    If you configured your CSR to work with the FortiWeb HSM configuration, the CSR generation process creates a private key both on the HSM and on FortiWeb. The private key on the HSM is used to secure communication when FortiWeb uses the certificate. The FortiWeb private key is used when you upload the certificate to FortiWeb.

  7. Select the row that corresponds to the certificate request.
  8. Click Download.
  9. Standard dialogs appear with buttons to save the file at a location you select. Your web browser downloads the certificate request .csr file. Time required varies by the size of the file and the speed of your network connection.

  10. Upload the certificate request to your CA.
  11. After you submit the request to a CA, the CA will verify the information in the certificate, give it a serial number, an expiration date, and sign it with the public key of the CA.

  12. If you are not using a commercial CA whose root certificate is already installed by default on web browsers, download your CA’s root certificate, then install it on all computers that will be connecting to your appliance. If you do not install these, those computers may not trust your new certificate.
  13. When you receive the signed certificate from the CA, upload the certificate to the FortiWeb appliance. For details, see Generating a certificate signing request.