Fortinet Document Library

Version:

Version:

Version:

Version:

Version:


Table of Contents

Handbook

Generating a certificate signing request

Many commercial certificate authorities (CAs) provide websites where you can generate your own certificate signing request (CSR). A CSR is an unsigned certificate file that the CA will sign. When a CSR is generated, the associated private key that the appliance will use to sign and/or encrypt connections with clients is also generated.

If your CA does not provide this service, or if you have your own private CA such as a Linux server with OpenSSL, you can use FortiADC to generate a CSR and private key. This CSR can then be submitted for verification and signing by the CA.

Before you begin:

  • You must have Read-Write permission for System settings.
To generate a certificate signing request:
  1. Go to System > Certificate > Manage Certificates.
  2. Click the Local Certificate tab.
  3. Click Generate to display the configuration editor.
  4. Complete the configuration as described in CSR configuration.
  5. Click Save when done.
  6. The system creates a private and public key pair. The generated request includes the public key of the FortiADC appliance and information such as the IP address, domain name, or email address. The FortiADC appliance private key remains confidential on the FortiADC appliance. The Status column of the new CSR entry is Pending.

  7. Select the row that corresponds to the certificate request.
  8. Click Download.
  9. Standard dialogs appear with buttons to save the file at a location you select. Your web browser downloads the certificate request (.csr) file.

  10. Upload the certificate request to your CA.
  11. After you submit the request to a CA, the CA will verify the information in the certificate, give it a serial number, an expiration date, and sign it with the public key of the CA.

  12. If you are not using a commercial CA whose root certificate is already installed by default on web browsers, download your CA’s root certificate, and then install it on all computers that will be connecting to your FortiADC appliance. Otherwise, those computers might not trust your new certificate.
  13. After you've received the signed certificate from the CA, import the certificate into the FortiADC system.

CSR configuration

Settings Guidelines
Generate Certificate Signing Request
Certification Name

Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. The maximum length is 35 characters.

Note: This is the name of the CSR file, not the host name/IP contained in the certificate’s Subject: line.

Subject Information
ID Type

Select the type of identifier to use in the certificate to identify the virtual server:

  • Host IP—The static public IP address of the FortiADC virtual server in the IP Address field. If the FortiADC appliance does not have a static public IP address, use the email or domain name options instead.
    Note: Do NOT use this option if your network has a dynamic public IP address. Your web browser will display the “Unable to verify certificate” or similar error message when your public IP address changes.
  • Domain Name—The fully qualified domain name (FQDN) of the FortiADC virtual server, such as www.example.com. This does not require that the IP address be static, and may be useful if, for example, your network has a dynamic public IP address and therefore clients connect to it via dynamic DNS. Do not include the protocol specification (http://) or any port number or path names.
  • E-Mail—The email address of the owner of the FortiADC virtual server. Use this if the virtual server does not require either a static IP address or a domain name.

Depending on your choice for ID Type, related options appear.

IP Address

Enter the static IP address of the FortiADC appliance, such as 10.0.0.1.The IP address should be the one that is visible to clients. Usually, this should be its public IP address on the Internet, or a virtual IP that you use NAT to map to the appliance’s IP address on your private network.

This option appears only if ID Type is Host IP.

Domain Name

Enter the FQDN of the FortiADC appliance, such as www.example.com. The domain name must resolve to the IP address of the FortiADC appliance or backend server according to the DNS server used by clients. (If it does not, the clients’ browsers will display a Host name mismatch or similar error message.)

This option appears only if ID Type is Domain Name.

Email Enter the email address of the owner of the FortiADC appliance, such as admin@example.com. This option appears only if ID Type is E-Mail.
Distinguished Information
Organization Unit Name of organizational unit (OU), such as the name of your department. This is optional. To enter more than one OU name, click the + icon, and enter each OU separately in each field.
Organization Legal name of your organization.
Locality (City) City or town where the FortiADC appliance is located.
State/Province State or province where the FortiADC appliance is located.
Country/Region Country where the FortiADC appliance is located.
Email E-mail address that may be used for contact purposes, such as admin@example.com.
Key Information
Key Type

Select either of the following:

  • RSA
  • ECDSA
Key Size/ Curve Name

For RSA key, select one of the following key sizes:

  • 512 Bit
  • 1024 Bit
  • 1536 Bit
  • 2048 Bit
  • 4096 Bit.

Note: Larger keys use more computing resources, but provide better security.

For ECDSA, select one of the following curve names:

  • prime256v1
  • secp384r1
  • secp521r1
Enrollment Information
Enrollment Method
  • File-Based—You must manually download and submit the resulting certificate request file to a CA for signing. Once signed, upload the local certificate.

Online SCEP—The FortiADC appliance automatically uses HTTP to submit the request to the simple certificate enrollment protocol (SCEP) server of a CA, which will validate and sign the certificate. For this selection, two options appear. Enter the CA Server URL and the Challenge Password.

Importing local certificates

You can import (upload) the following types of X.509 server certificates and private keys into the FortiADC system:

  • Base64-encoded
  • PKCS #12 RSA-encrypted

Before you begin:

  • You must have Read-Write permission for System settings.
  • You must have downloaded the certificate and key files and be able to browse to them
  • so that you can upload them.
To import a local certificate:
  1. Go to System > Certificate > Manage Certificates.
  2. Click the Local Certificate tab.
  3. Click Import to display the configuration editor.
  4. Complete the configuration as described in Local certificate import configuration.
  5. Click Save when done.

Local certificate import configuration

Settings Guidelines
Type

Click the down arrow and select one of the following options from the drop-down menu:

  • Local Certificate—Use this option only if you have a CA-signed certificate that was originated from a CSR generated in FortiADC . See Generating a certificate signing request. Note: It is important to make sure that the load-balancer (FortiADC appliance) you use to import a local certificate is the same appliance where the CSR was generated because it is where the key matching the certificate resides. The import operation will fail without the matching key on the same hardware system.
  • PKCS12 Certificate—Use this option only if you have a PKCS #12 password-encrypted certificate with its key in the same file.
  • Certificate—Use this option only if you have a certificate and its key in separate files.

Note: Additional fields are displayed depending on your selection.

Local Certificate
Certificate File Browse for and upload the certificate file that you want to use.
PKCS12 Certificate
Certificate Name Specify the certificate name that can be referenced by other parts of the configuration, such as www_example_com. The maximum length is 35 characters. Do not use spaces or special characters.
Certificate File Browse for and upload the certificate file that you want to use.
Password Specify the password to decrypt the file. If the file was encrypted by a password when generated, the same password must be provided when the file is imported to FortiADC. If the file was generated without a password, there is no need to specify a password when importing the file to FortiADC.
Certificate
Certificate Name Specify the name that can be referenced by other parts of the configuration, such as www_example_com. The maximum length is 35 characters. Do not use spaces or special characters.
Certificate File Browse for and upload the certificate file that you want to use.
Key File Browse for and upload the corresponding key file.
Password Specify the password to decrypt the file. If the file was encrypted by a password when generated, the same password must be provided when the file is imported to FortiADC. If the file was generated without a password, there is no need to specify a password when importing the file to FortiADC.

Generating a certificate signing request

Many commercial certificate authorities (CAs) provide websites where you can generate your own certificate signing request (CSR). A CSR is an unsigned certificate file that the CA will sign. When a CSR is generated, the associated private key that the appliance will use to sign and/or encrypt connections with clients is also generated.

If your CA does not provide this service, or if you have your own private CA such as a Linux server with OpenSSL, you can use FortiADC to generate a CSR and private key. This CSR can then be submitted for verification and signing by the CA.

Before you begin:

  • You must have Read-Write permission for System settings.
To generate a certificate signing request:
  1. Go to System > Certificate > Manage Certificates.
  2. Click the Local Certificate tab.
  3. Click Generate to display the configuration editor.
  4. Complete the configuration as described in CSR configuration.
  5. Click Save when done.
  6. The system creates a private and public key pair. The generated request includes the public key of the FortiADC appliance and information such as the IP address, domain name, or email address. The FortiADC appliance private key remains confidential on the FortiADC appliance. The Status column of the new CSR entry is Pending.

  7. Select the row that corresponds to the certificate request.
  8. Click Download.
  9. Standard dialogs appear with buttons to save the file at a location you select. Your web browser downloads the certificate request (.csr) file.

  10. Upload the certificate request to your CA.
  11. After you submit the request to a CA, the CA will verify the information in the certificate, give it a serial number, an expiration date, and sign it with the public key of the CA.

  12. If you are not using a commercial CA whose root certificate is already installed by default on web browsers, download your CA’s root certificate, and then install it on all computers that will be connecting to your FortiADC appliance. Otherwise, those computers might not trust your new certificate.
  13. After you've received the signed certificate from the CA, import the certificate into the FortiADC system.

CSR configuration

Settings Guidelines
Generate Certificate Signing Request
Certification Name

Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. The maximum length is 35 characters.

Note: This is the name of the CSR file, not the host name/IP contained in the certificate’s Subject: line.

Subject Information
ID Type

Select the type of identifier to use in the certificate to identify the virtual server:

  • Host IP—The static public IP address of the FortiADC virtual server in the IP Address field. If the FortiADC appliance does not have a static public IP address, use the email or domain name options instead.
    Note: Do NOT use this option if your network has a dynamic public IP address. Your web browser will display the “Unable to verify certificate” or similar error message when your public IP address changes.
  • Domain Name—The fully qualified domain name (FQDN) of the FortiADC virtual server, such as www.example.com. This does not require that the IP address be static, and may be useful if, for example, your network has a dynamic public IP address and therefore clients connect to it via dynamic DNS. Do not include the protocol specification (http://) or any port number or path names.
  • E-Mail—The email address of the owner of the FortiADC virtual server. Use this if the virtual server does not require either a static IP address or a domain name.

Depending on your choice for ID Type, related options appear.

IP Address

Enter the static IP address of the FortiADC appliance, such as 10.0.0.1.The IP address should be the one that is visible to clients. Usually, this should be its public IP address on the Internet, or a virtual IP that you use NAT to map to the appliance’s IP address on your private network.

This option appears only if ID Type is Host IP.

Domain Name

Enter the FQDN of the FortiADC appliance, such as www.example.com. The domain name must resolve to the IP address of the FortiADC appliance or backend server according to the DNS server used by clients. (If it does not, the clients’ browsers will display a Host name mismatch or similar error message.)

This option appears only if ID Type is Domain Name.

Email Enter the email address of the owner of the FortiADC appliance, such as admin@example.com. This option appears only if ID Type is E-Mail.
Distinguished Information
Organization Unit Name of organizational unit (OU), such as the name of your department. This is optional. To enter more than one OU name, click the + icon, and enter each OU separately in each field.
Organization Legal name of your organization.
Locality (City) City or town where the FortiADC appliance is located.
State/Province State or province where the FortiADC appliance is located.
Country/Region Country where the FortiADC appliance is located.
Email E-mail address that may be used for contact purposes, such as admin@example.com.
Key Information
Key Type

Select either of the following:

  • RSA
  • ECDSA
Key Size/ Curve Name

For RSA key, select one of the following key sizes:

  • 512 Bit
  • 1024 Bit
  • 1536 Bit
  • 2048 Bit
  • 4096 Bit.

Note: Larger keys use more computing resources, but provide better security.

For ECDSA, select one of the following curve names:

  • prime256v1
  • secp384r1
  • secp521r1
Enrollment Information
Enrollment Method
  • File-Based—You must manually download and submit the resulting certificate request file to a CA for signing. Once signed, upload the local certificate.

Online SCEP—The FortiADC appliance automatically uses HTTP to submit the request to the simple certificate enrollment protocol (SCEP) server of a CA, which will validate and sign the certificate. For this selection, two options appear. Enter the CA Server URL and the Challenge Password.

Importing local certificates

You can import (upload) the following types of X.509 server certificates and private keys into the FortiADC system:

  • Base64-encoded
  • PKCS #12 RSA-encrypted

Before you begin:

  • You must have Read-Write permission for System settings.
  • You must have downloaded the certificate and key files and be able to browse to them
  • so that you can upload them.
To import a local certificate:
  1. Go to System > Certificate > Manage Certificates.
  2. Click the Local Certificate tab.
  3. Click Import to display the configuration editor.
  4. Complete the configuration as described in Local certificate import configuration.
  5. Click Save when done.

Local certificate import configuration

Settings Guidelines
Type

Click the down arrow and select one of the following options from the drop-down menu:

  • Local Certificate—Use this option only if you have a CA-signed certificate that was originated from a CSR generated in FortiADC . See Generating a certificate signing request. Note: It is important to make sure that the load-balancer (FortiADC appliance) you use to import a local certificate is the same appliance where the CSR was generated because it is where the key matching the certificate resides. The import operation will fail without the matching key on the same hardware system.
  • PKCS12 Certificate—Use this option only if you have a PKCS #12 password-encrypted certificate with its key in the same file.
  • Certificate—Use this option only if you have a certificate and its key in separate files.

Note: Additional fields are displayed depending on your selection.

Local Certificate
Certificate File Browse for and upload the certificate file that you want to use.
PKCS12 Certificate
Certificate Name Specify the certificate name that can be referenced by other parts of the configuration, such as www_example_com. The maximum length is 35 characters. Do not use spaces or special characters.
Certificate File Browse for and upload the certificate file that you want to use.
Password Specify the password to decrypt the file. If the file was encrypted by a password when generated, the same password must be provided when the file is imported to FortiADC. If the file was generated without a password, there is no need to specify a password when importing the file to FortiADC.
Certificate
Certificate Name Specify the name that can be referenced by other parts of the configuration, such as www_example_com. The maximum length is 35 characters. Do not use spaces or special characters.
Certificate File Browse for and upload the certificate file that you want to use.
Key File Browse for and upload the corresponding key file.
Password Specify the password to decrypt the file. If the file was encrypted by a password when generated, the same password must be provided when the file is imported to FortiADC. If the file was generated without a password, there is no need to specify a password when importing the file to FortiADC.