Fortinet black logo

Handbook

Generating or importing a local certificate

Generating or importing a local certificate

In order for FortiADC to authenticate client certificates, you can either generate a certificate signing request or upload trusted CA certificates to FortiADC.

Many commercial certificate authorities (CAs) provide websites where you can generate your own certificate signing request (CSR). A CSR is an unsigned certificate file that the CA will sign. When a CSR is generated, the associated private key that the appliance will use to sign and/or encrypt connections with clients is also generated.

If your CA does not provide this service, or if you have your own private CA such as a Linux server with OpenSSL, you can use FortiADC to generate a CSR and private key. This CSR can then be submitted for verification and signing by the CA. To generate a local certificate, see Generating a certificate signing request.

Alternatively, you can import (upload) the local certificates and their private key files into the FortiADC system.

The following types of X.509 server certificates and private keys are supported:

  • Base64-encoded
  • PKCS #12 RSA-encrypted

As part of the certificate importing functionality, FortiADC supports the Automatic Certificate Management Environment (ACME) protocol for automating the interactions between CAs and their users' web servers. FortiADC supports the ACME protocol to get SSL/TLS certificates through CAs like Let's Encrypt.

To import a local certificate through file upload or using the ACME protocol, see Importing local certificates.

Before you begin:
  • You must have Read-Write permission for System settings.

Generating a certificate signing request

Follow the steps below to generate a CSR and submit it for verification and signing by the CA.

To generate a certificate signing request:
  1. Go to System > Manage Certificates.
  2. Click the Local Certificate tab.
  3. Click Generate to display the configuration editor.
  4. Configure the following settings.
    SettingDescription
    Generate Certificate Signing Request
    Certification Name

    Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. The maximum length is 35 characters.

    Note: This is the name of the CSR file, not the host name/IP contained in the certificate’s Subject: line.

    Subject Information
    ID Type

    Select the type of identifier to use in the certificate to identify the virtual server:

    • Host IP—The static public IP address of the FortiADC virtual server in the IP Address field. If the FortiADC appliance does not have a static public IP address, use the email or domain name options instead.
      Note: Do NOT use this option if your network has a dynamic public IP address. Your web browser will display the “Unable to verify certificate” or similar error message when your public IP address changes.
    • Domain Name—The fully qualified domain name (FQDN) of the FortiADC virtual server, such as www.example.com. This does not require that the IP address be static, and may be useful if, for example, your network has a dynamic public IP address and therefore clients connect to it via dynamic DNS. Do not include the protocol specification (http://) or any port number or path names.
    • E-Mail—The email address of the owner of the FortiADC virtual server. Use this if the virtual server does not require either a static IP address or a domain name.

    Depending on your choice for ID Type, related options appear.

    IP Address

    Enter the static IP address of the FortiADC appliance, such as 10.0.0.1.The IP address should be the one that is visible to clients. Usually, this should be its public IP address on the Internet, or a virtual IP that you use NAT to map to the appliance’s IP address on your private network.

    This option appears only if ID Type is Host IP.

    Domain Name

    Enter the FQDN of the FortiADC appliance, such as www.example.com. The domain name must resolve to the IP address of the FortiADC appliance or backend server according to the DNS server used by clients. (If it does not, the clients’ browsers will display a Host name mismatch or similar error message.)

    This option appears only if ID Type is Domain Name.

    EmailEnter the email address of the owner of the FortiADC appliance, such as admin@example.com. This option appears only if ID Type is E-Mail.
    Distinguished Information
    Organization UnitName of organizational unit (OU), such as the name of your department. This is optional. To enter more than one OU name, click the + icon, and enter each OU separately in each field.
    OrganizationLegal name of your organization.
    Locality (City)City or town where the FortiADC appliance is located.
    State/ProvinceState or province where the FortiADC appliance is located.
    Country/RegionCountry where the FortiADC appliance is located.
    EmailE-mail address that may be used for contact purposes, such as admin@example.com.
    Key Information
    Key Type

    Select either of the following:

    • RSA
    • ECDSA
    Key Size/ Curve Name

    For RSA key, select one of the following key sizes:

    • 512 Bit
    • 1024 Bit
    • 1536 Bit
    • 2048 Bit
    • 4096 Bit.

    Note: Larger keys use more computing resources, but provide better security.

    For ECDSA, select one of the following curve names:

    • prime256v1
    • secp384r1
    • secp521r1
    Enrollment Information
    Enrollment Method
    • File-Based—You must manually download and submit the resulting certificate request file to a CA for signing. Once signed, upload the local certificate.

    Online SCEP—The FortiADC appliance automatically uses HTTP to submit the request to the simple certificate enrollment protocol (SCEP) server of a CA, which will validate and sign the certificate. For this selection, two options appear. Enter the CA Server URL and the Challenge Password.

  5. Click Save.
  6. The system creates a private and public key pair. The generated request includes the public key of the FortiADC appliance and information such as the IP address, domain name, or email address. The FortiADC appliance private key remains confidential on the FortiADC appliance. The Status column of the new CSR entry is Pending.

  7. Select the row that corresponds to the certificate request.
  8. Click Download.
  9. Standard dialogs appear with buttons to save the file at a location you select. Your web browser downloads the certificate request (.csr) file.

  10. Upload the certificate request to your CA.
  11. After you submit the request to a CA, the CA will verify the information in the certificate, give it a serial number, an expiration date, and sign it with the public key of the CA.

  12. If you are not using a commercial CA whose root certificate is already installed by default on web browsers, download your CA’s root certificate, and then install it on all computers that will be connecting to your FortiADC appliance. Otherwise, those computers might not trust your new certificate.
  13. After you've received the signed certificate from the CA, import the certificate into the FortiADC system.

Importing local certificates

After you have downloaded the local certificate and private key files, you can import them into the FortiADC system.

Alternatively, you can select the automated certificate type to use the ACME service to get the SSL/TLS certificates from Let's Encrypt or other ACME providers.

Follow the steps below to import the certificate and key files or to use the ACME protocol.

To import a local certificate:
  1. Go to System > Manage Certificates.
  2. Click the Local Certificate tab.
  3. Click Import to display the configuration editor.
  4. Select the local certificate Type from the drop-down menu.
    • Certificate — Use this option only if you have a certificate and its key in separate files.
    • PKCS12 Certificate — Use this option only if you have a PKCS #12 password-encrypted certificate with its key in the same file.
    • Local CSR Certificate — Use this option only if you have a CA-signed certificate that was originated from a CSR generated in FortiADC. See Generating a certificate signing request.
      Note: Ensure that the load-balancer (FortiADC appliance) you use to import a local certificate is the same appliance where the CSR was generated as that is where the key matching the certificate resides. The import operation will fail without the matching key on the same hardware system.
    • Automated — Use this option if you want to use the ACME protocol to get the certificates from Let's Encrypt or other ACME providers.
  5. Configure the following settings based on the local certificate Type.

    Setting

    Description

    Certificate
    Certificate NameSpecify the certificate name that can be referenced by other parts of the configuration, such as www_example_com. The maximum length is 35 characters. Do not use spaces or special characters.
    Certificate FileBrowse for and upload the certificate file that you want to use.
    Input Type

    Select either of the following:

    • Upload

    • Manual Input

    Certificate File

    The Certificate File option appears if the Input Type is Upload.

    Browse for and upload the certificate file that you want to use.

    Key File

    The Key File option appears if the Input Type is Upload.

    Browse for and upload the corresponding key file.

    Certificate

    The Certificate File option appears if the Input Type is Manual.

    Paste the contents of the certificate file into the text box.

    Key

    The Certificate File option appears if the Input Type is Manual.

    Paste the contents of the key file into the text box.

    Password Specify the password to decrypt the file. If the file was encrypted by a password when generated, the same password must be provided when the file is imported to FortiADC. If the file was generated without a password, there is no need to specify a password when importing the file to FortiADC.
    PKCS12 Certificate
    Certificate NameSpecify the certificate name that can be referenced by other parts of the configuration, such as www_example_com. The maximum length is 35 characters. Do not use spaces or special characters.
    Certificate FileBrowse for and upload the certificate file that you want to use.
    Password Specify the password to decrypt the file. If the file was encrypted by a password when generated, the same password must be provided when the file is imported to FortiADC. If the file was generated without a password, there is no need to specify a password when importing the file to FortiADC.
    Local CSR Certificate
    Certificate FileBrowse for and upload the certificate file that you want to use.
    Automated
    Certificate NameSpecify the certificate name that can be referenced by other parts of the configuration, such as www_example_com. The maximum length is 35 characters. Do not use spaces or special characters.

    Domain Name

    Specify the web server domain to be protected by the certificate.

    Email

    Enter the email address that will receive notifications regarding the status of the certificate.

    Depending on which ACME service provider you use, you may receive notification for when the certificate request has been approved through the Certificated Services or when the certificate is due to expire.

    Key Type

    Select either of the following:

    • RSA
    • ECDSA

    Key Size

    The Key Size option appears if the Key Type is RSA.

    Select one of the following key sizes:

    • 2048 bit

    • 3072 bit

    • 4096 bit

    Curve Name

    The Key Size option appears if the Key Type is ECDSA.

    Select one of the following curve names:

    • prime256v1

    • secp384r1

    • secp521r1

    Password Specify the password to decrypt the file. If the file was encrypted by a password when generated, the same password must be provided when the file is imported to FortiADC. If the file was generated without a password, there is no need to specify a password when importing the file to FortiADC.

    CA Group

    Specify the name of the CA Group. FortiADC will use the CA certificate in the CA Group to verify the certificate sent by the ACME provider.

    From the drop-down, you may select previously configured CA Group or select Create New to create and configure a CA Group directly.

    ACME Service

    Select either of the following:

    ACME Server URL

    The ACME Server URL option appears if the ACME Service is Other.

    Specify the URL of the ACME server. The ACME request URL must begin with "https://".

    After you have obtained the ACME certificate from your chosen ACME service provider, you will need to provide the ACME server URL to connect to FortiADC. This will enable FortiADC to act as the ACME client to send the ACME request and receive the ACME certificate/key.

    Note: The ACME server URL is unique to the ACME service provider. Please refer to the documentation from your ACME provider for further information.

    Challenge Wait Time

    Specify the ACME DNS-01 challenge wait time in minutes. (Range: 1-1440 minutes).

    The ACME DNS-01 challenge wait time refers to the amount of time you will have to fulfill the DNS-01 challenge. A longer challenge wait time is recommended to ensure enough time is allotted to perform the required Public DNS configuration changes and for the changes to take effect.

    For more information, see Fulfilling the ACME DNS-01 challenge.

  6. Click Save.

Fulfilling the ACME DNS-01 challenge

The DNS-01 challenge asks you to prove that you control the DNS for your domain name by putting a specific value in a TXT record under that domain name.

After you have saved your automated local certificate configuration, the ACME DNS challenge information is generated. With this information, you will configure your Public DNS Service to create the TXT record.

Certificates generated by the ACME DNS-01 challenge cannot be renewed automatically. Please manually renew the certificate before it expires.

To add the record the DNS challenge information to the Public DNS Service:
  1. Obtain the ACME DNS challenge information using either of the following methods.
    • After you save your automated local certificate configuration, you will be shown the challenge information. Save this information for use later.
    • In the Local Certificate page, locate the local certificate record and click the (View icon) to see the details.
  2. Login to your DNS service provider and go to your DNS Domain management page.
  3. Add a record and input the challenge information into the corresponding fields.

    Name_ACME-CHALLENGE is a fixed value.
    TypeSet the record type as TXT.
    TTLSet this to the default value.
    TargetPaste the content from your ACME DNS-01 challenge information.
  4. Save the changes.
    The DNS configuration changes may take several minutes to take effect.

The ACME provider will then query the DNS system for that record to find a match. If there is a match, the ACME certificate passes validation (certificate status will progress from Pending → OK). However, if the record is not found within the specified challenge wait time then the certificate validation fails (certificate status is Fail).

If the certificate validation fails, then you will need to delete the record and import a new automated local certificate to try again.

It is recommended to set a longer challenge wait time to allow enough time for the DNS configuration changes to take effect. If the DNS configuration changes has not taken effect at the time the ACME provider queries the DNS system for the TXT record, then the validation will fail. Various factors may influence the speed of the DNS (such as the DNS service provider, network speed, network traffic), so the DNS configuration changes may take as long as 20 minutes to take effect.

Generating or importing a local certificate

In order for FortiADC to authenticate client certificates, you can either generate a certificate signing request or upload trusted CA certificates to FortiADC.

Many commercial certificate authorities (CAs) provide websites where you can generate your own certificate signing request (CSR). A CSR is an unsigned certificate file that the CA will sign. When a CSR is generated, the associated private key that the appliance will use to sign and/or encrypt connections with clients is also generated.

If your CA does not provide this service, or if you have your own private CA such as a Linux server with OpenSSL, you can use FortiADC to generate a CSR and private key. This CSR can then be submitted for verification and signing by the CA. To generate a local certificate, see Generating a certificate signing request.

Alternatively, you can import (upload) the local certificates and their private key files into the FortiADC system.

The following types of X.509 server certificates and private keys are supported:

  • Base64-encoded
  • PKCS #12 RSA-encrypted

As part of the certificate importing functionality, FortiADC supports the Automatic Certificate Management Environment (ACME) protocol for automating the interactions between CAs and their users' web servers. FortiADC supports the ACME protocol to get SSL/TLS certificates through CAs like Let's Encrypt.

To import a local certificate through file upload or using the ACME protocol, see Importing local certificates.

Before you begin:
  • You must have Read-Write permission for System settings.

Generating a certificate signing request

Follow the steps below to generate a CSR and submit it for verification and signing by the CA.

To generate a certificate signing request:
  1. Go to System > Manage Certificates.
  2. Click the Local Certificate tab.
  3. Click Generate to display the configuration editor.
  4. Configure the following settings.
    SettingDescription
    Generate Certificate Signing Request
    Certification Name

    Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. The maximum length is 35 characters.

    Note: This is the name of the CSR file, not the host name/IP contained in the certificate’s Subject: line.

    Subject Information
    ID Type

    Select the type of identifier to use in the certificate to identify the virtual server:

    • Host IP—The static public IP address of the FortiADC virtual server in the IP Address field. If the FortiADC appliance does not have a static public IP address, use the email or domain name options instead.
      Note: Do NOT use this option if your network has a dynamic public IP address. Your web browser will display the “Unable to verify certificate” or similar error message when your public IP address changes.
    • Domain Name—The fully qualified domain name (FQDN) of the FortiADC virtual server, such as www.example.com. This does not require that the IP address be static, and may be useful if, for example, your network has a dynamic public IP address and therefore clients connect to it via dynamic DNS. Do not include the protocol specification (http://) or any port number or path names.
    • E-Mail—The email address of the owner of the FortiADC virtual server. Use this if the virtual server does not require either a static IP address or a domain name.

    Depending on your choice for ID Type, related options appear.

    IP Address

    Enter the static IP address of the FortiADC appliance, such as 10.0.0.1.The IP address should be the one that is visible to clients. Usually, this should be its public IP address on the Internet, or a virtual IP that you use NAT to map to the appliance’s IP address on your private network.

    This option appears only if ID Type is Host IP.

    Domain Name

    Enter the FQDN of the FortiADC appliance, such as www.example.com. The domain name must resolve to the IP address of the FortiADC appliance or backend server according to the DNS server used by clients. (If it does not, the clients’ browsers will display a Host name mismatch or similar error message.)

    This option appears only if ID Type is Domain Name.

    EmailEnter the email address of the owner of the FortiADC appliance, such as admin@example.com. This option appears only if ID Type is E-Mail.
    Distinguished Information
    Organization UnitName of organizational unit (OU), such as the name of your department. This is optional. To enter more than one OU name, click the + icon, and enter each OU separately in each field.
    OrganizationLegal name of your organization.
    Locality (City)City or town where the FortiADC appliance is located.
    State/ProvinceState or province where the FortiADC appliance is located.
    Country/RegionCountry where the FortiADC appliance is located.
    EmailE-mail address that may be used for contact purposes, such as admin@example.com.
    Key Information
    Key Type

    Select either of the following:

    • RSA
    • ECDSA
    Key Size/ Curve Name

    For RSA key, select one of the following key sizes:

    • 512 Bit
    • 1024 Bit
    • 1536 Bit
    • 2048 Bit
    • 4096 Bit.

    Note: Larger keys use more computing resources, but provide better security.

    For ECDSA, select one of the following curve names:

    • prime256v1
    • secp384r1
    • secp521r1
    Enrollment Information
    Enrollment Method
    • File-Based—You must manually download and submit the resulting certificate request file to a CA for signing. Once signed, upload the local certificate.

    Online SCEP—The FortiADC appliance automatically uses HTTP to submit the request to the simple certificate enrollment protocol (SCEP) server of a CA, which will validate and sign the certificate. For this selection, two options appear. Enter the CA Server URL and the Challenge Password.

  5. Click Save.
  6. The system creates a private and public key pair. The generated request includes the public key of the FortiADC appliance and information such as the IP address, domain name, or email address. The FortiADC appliance private key remains confidential on the FortiADC appliance. The Status column of the new CSR entry is Pending.

  7. Select the row that corresponds to the certificate request.
  8. Click Download.
  9. Standard dialogs appear with buttons to save the file at a location you select. Your web browser downloads the certificate request (.csr) file.

  10. Upload the certificate request to your CA.
  11. After you submit the request to a CA, the CA will verify the information in the certificate, give it a serial number, an expiration date, and sign it with the public key of the CA.

  12. If you are not using a commercial CA whose root certificate is already installed by default on web browsers, download your CA’s root certificate, and then install it on all computers that will be connecting to your FortiADC appliance. Otherwise, those computers might not trust your new certificate.
  13. After you've received the signed certificate from the CA, import the certificate into the FortiADC system.

Importing local certificates

After you have downloaded the local certificate and private key files, you can import them into the FortiADC system.

Alternatively, you can select the automated certificate type to use the ACME service to get the SSL/TLS certificates from Let's Encrypt or other ACME providers.

Follow the steps below to import the certificate and key files or to use the ACME protocol.

To import a local certificate:
  1. Go to System > Manage Certificates.
  2. Click the Local Certificate tab.
  3. Click Import to display the configuration editor.
  4. Select the local certificate Type from the drop-down menu.
    • Certificate — Use this option only if you have a certificate and its key in separate files.
    • PKCS12 Certificate — Use this option only if you have a PKCS #12 password-encrypted certificate with its key in the same file.
    • Local CSR Certificate — Use this option only if you have a CA-signed certificate that was originated from a CSR generated in FortiADC. See Generating a certificate signing request.
      Note: Ensure that the load-balancer (FortiADC appliance) you use to import a local certificate is the same appliance where the CSR was generated as that is where the key matching the certificate resides. The import operation will fail without the matching key on the same hardware system.
    • Automated — Use this option if you want to use the ACME protocol to get the certificates from Let's Encrypt or other ACME providers.
  5. Configure the following settings based on the local certificate Type.

    Setting

    Description

    Certificate
    Certificate NameSpecify the certificate name that can be referenced by other parts of the configuration, such as www_example_com. The maximum length is 35 characters. Do not use spaces or special characters.
    Certificate FileBrowse for and upload the certificate file that you want to use.
    Input Type

    Select either of the following:

    • Upload

    • Manual Input

    Certificate File

    The Certificate File option appears if the Input Type is Upload.

    Browse for and upload the certificate file that you want to use.

    Key File

    The Key File option appears if the Input Type is Upload.

    Browse for and upload the corresponding key file.

    Certificate

    The Certificate File option appears if the Input Type is Manual.

    Paste the contents of the certificate file into the text box.

    Key

    The Certificate File option appears if the Input Type is Manual.

    Paste the contents of the key file into the text box.

    Password Specify the password to decrypt the file. If the file was encrypted by a password when generated, the same password must be provided when the file is imported to FortiADC. If the file was generated without a password, there is no need to specify a password when importing the file to FortiADC.
    PKCS12 Certificate
    Certificate NameSpecify the certificate name that can be referenced by other parts of the configuration, such as www_example_com. The maximum length is 35 characters. Do not use spaces or special characters.
    Certificate FileBrowse for and upload the certificate file that you want to use.
    Password Specify the password to decrypt the file. If the file was encrypted by a password when generated, the same password must be provided when the file is imported to FortiADC. If the file was generated without a password, there is no need to specify a password when importing the file to FortiADC.
    Local CSR Certificate
    Certificate FileBrowse for and upload the certificate file that you want to use.
    Automated
    Certificate NameSpecify the certificate name that can be referenced by other parts of the configuration, such as www_example_com. The maximum length is 35 characters. Do not use spaces or special characters.

    Domain Name

    Specify the web server domain to be protected by the certificate.

    Email

    Enter the email address that will receive notifications regarding the status of the certificate.

    Depending on which ACME service provider you use, you may receive notification for when the certificate request has been approved through the Certificated Services or when the certificate is due to expire.

    Key Type

    Select either of the following:

    • RSA
    • ECDSA

    Key Size

    The Key Size option appears if the Key Type is RSA.

    Select one of the following key sizes:

    • 2048 bit

    • 3072 bit

    • 4096 bit

    Curve Name

    The Key Size option appears if the Key Type is ECDSA.

    Select one of the following curve names:

    • prime256v1

    • secp384r1

    • secp521r1

    Password Specify the password to decrypt the file. If the file was encrypted by a password when generated, the same password must be provided when the file is imported to FortiADC. If the file was generated without a password, there is no need to specify a password when importing the file to FortiADC.

    CA Group

    Specify the name of the CA Group. FortiADC will use the CA certificate in the CA Group to verify the certificate sent by the ACME provider.

    From the drop-down, you may select previously configured CA Group or select Create New to create and configure a CA Group directly.

    ACME Service

    Select either of the following:

    ACME Server URL

    The ACME Server URL option appears if the ACME Service is Other.

    Specify the URL of the ACME server. The ACME request URL must begin with "https://".

    After you have obtained the ACME certificate from your chosen ACME service provider, you will need to provide the ACME server URL to connect to FortiADC. This will enable FortiADC to act as the ACME client to send the ACME request and receive the ACME certificate/key.

    Note: The ACME server URL is unique to the ACME service provider. Please refer to the documentation from your ACME provider for further information.

    Challenge Wait Time

    Specify the ACME DNS-01 challenge wait time in minutes. (Range: 1-1440 minutes).

    The ACME DNS-01 challenge wait time refers to the amount of time you will have to fulfill the DNS-01 challenge. A longer challenge wait time is recommended to ensure enough time is allotted to perform the required Public DNS configuration changes and for the changes to take effect.

    For more information, see Fulfilling the ACME DNS-01 challenge.

  6. Click Save.

Fulfilling the ACME DNS-01 challenge

The DNS-01 challenge asks you to prove that you control the DNS for your domain name by putting a specific value in a TXT record under that domain name.

After you have saved your automated local certificate configuration, the ACME DNS challenge information is generated. With this information, you will configure your Public DNS Service to create the TXT record.

Certificates generated by the ACME DNS-01 challenge cannot be renewed automatically. Please manually renew the certificate before it expires.

To add the record the DNS challenge information to the Public DNS Service:
  1. Obtain the ACME DNS challenge information using either of the following methods.
    • After you save your automated local certificate configuration, you will be shown the challenge information. Save this information for use later.
    • In the Local Certificate page, locate the local certificate record and click the (View icon) to see the details.
  2. Login to your DNS service provider and go to your DNS Domain management page.
  3. Add a record and input the challenge information into the corresponding fields.

    Name_ACME-CHALLENGE is a fixed value.
    TypeSet the record type as TXT.
    TTLSet this to the default value.
    TargetPaste the content from your ACME DNS-01 challenge information.
  4. Save the changes.
    The DNS configuration changes may take several minutes to take effect.

The ACME provider will then query the DNS system for that record to find a match. If there is a match, the ACME certificate passes validation (certificate status will progress from Pending → OK). However, if the record is not found within the specified challenge wait time then the certificate validation fails (certificate status is Fail).

If the certificate validation fails, then you will need to delete the record and import a new automated local certificate to try again.

It is recommended to set a longer challenge wait time to allow enough time for the DNS configuration changes to take effect. If the DNS configuration changes has not taken effect at the time the ACME provider queries the DNS system for the TXT record, then the validation will fail. Various factors may influence the speed of the DNS (such as the DNS service provider, network speed, network traffic), so the DNS configuration changes may take as long as 20 minutes to take effect.