Fortinet black logo

Administration Guide

Certificate authorities

Certificate authorities

A certificate authority (CA) is used to sign other server and client certificates. Different CAs can be used for different domains or certificates. For example, if your organization is international you may have a CA for each country, or smaller organizations might have a different CA for each department. The benefits of multiple CAs include redundancy, in case there are problems with one of the well-known trusted authorities.

After you have created a CA certificate, you can export it to your local computer.

Local CAs

The FortiAuthenticator device can act as a self-signed, or local, CA.

To view the certificate information, go to Certificate Management > Certificate Authorities > Local CAs.

The following information in shown:

Create New Create a new CA certificate.
Import Import a CA certificate. See Importing CA certificates and signing requests.
Revoke Revoke the selected CA certificate.
Delete Delete the selected CA certificate.
Export Certificate Save the selected CA certificate to your computer.
Export Key and Cert Save the selected intermediate CA certificate and private key to your computer.
Search Enter a search term in the search field, then press Enter to search the CA certificate list. The search will return certificates that match either the subject or issuer.
Filter Select to filter the displayed CAs by status. The available selections are: All, Pending, Expired, Revoked, and Active.
Certificate ID The CA certificate ID.
Subject The CA certificate subject.
Issuer The issuer of the CA certificate.
Status The status of the CA certificate.
CA Type The CA type of the CA certificate.
To create a CA certificate:
  1. From the local CA certificate list, select Create New. The Create New Local CA Certificate window opens.
  2. Enter the following information:
    Certificate ID Enter a unique ID for the CA certificate.
    Certificate Authority Type
    Certificate type

    Select one of the following options:

    • Root CA certificate: A self-signed CA certificate.
    • Intermediate CA certificate: A CA certificate that refers to a different root CA as the authority.
    • Intermediate CA certificate signing request (CSR)
    Certificate authority

    Select one of the available CAs from the dropdown menu.

    This field is only available when the certificate type is Intermediate CA certificate.

    Subject Information
    Subject input method Select the subject input method, either Fully distinguished name or Field-by-field.
    Subject DN

    If the subject input method is Fully distinguished name, enter the full distinguished name of the subject. There should be no spaces between attributes.

    Valid DN attributes are DC, C, ST, L, O, OU, CN, and emailAddress. They are case-sensitive.

    Name (CN)

    If the subject input method is Field-by-field, enter the subject name in the Name (CN) field, and optionally enter the following fields:

    • Department (OU)
    • Company (O)
    • City (L)
    • State/Province (ST)
    • Country (C) (select from dropdown menu)
    • Email address
    Key and Signing Options
    Validity period

    Select the amount of time before this certificate expires.

    Select Set length of time to enter a specific number of days, or select Set an expiry date and enter the specific date on which the certificate expires.

    This option is not available when the certificate type is set to Intermediate CA certificate signing request (CSR).

    Key type The key type is set to RSA.
    Key size Select the key size from the dropdown menu: 1024, 2048 (set by default), or 4096 bits.
    Hash algorithm Select the hash algorithm from the dropdown menu, either SHA-256 (set by default) or SHA-1.
    Subject Alternative Name

    SANs allow you to protect multiple host names with a single SSL certificate. SAN is part of the X.509 certificate standard.

    This section is not available when the certificate type is Intermediate CA certificate signing request (CSR).

    Email Enter the email address of a user to map to this certificate.
    User Principal Name (UPN) Enter the UPN used to find the user’s account in Microsoft Active Directory. This will map the certificate to this specific user. The UPN is unique for the Windows Server domain. This is a form of one-to-one mapping.
    Advanced Options: Key Usages

    Some certificates require the explicit presence of extended key usage attributes before the certificate can be accepted for use.

    For detailed information about these attributes, see End entities.

    Key Usages
    • Digital Signature
    • Non Repudiation
    • Key Encipherment
    • Data Encipherment
    • Key Agreement
    • Certificate Sign
    • CRL Sign
    • Encipher Only
    • Decipher Only
    Extended Key Usages
    • Server Authentication
    • Client Authentication
    • Code Signing
    • Secure Email
    • OCSP Signing
    • IPSec End System
    • IPSec Tunnel Termination
    • IPSec User
    • IPSec IKE Intermediate (end entity)
    • Time Stamping
    • Microsoft Individual Code Signing
    • Microsoft Commercial Code Signing
    • Microsoft Trust List Signing
    • Microsoft Server Gated Crypto
    • Netscape Server Gated Crypto
    • Microsoft Encrypted File System
    • Microsoft EFS File Recovery
    • Smart Card Logon
    • EAP over PPP
    • EAP over LAN
    • KDC Authentication
    Certificate Revocation List (CRL) Determine the certificate's lifetime before the CA certificate is revoked.
    Lifetime Enter the lifetime of the certificate in days, between 1-365 (maximum of one year). The default is 30.
    Re-generate every Enter how often the certificate will regenerate.
  3. Select OK to create the new CA certificate.

Importing CA certificates and signing requests

Four options are available when importing a certificate or signing request: PKCS12 Certificate, Certificate and Private Key, CSR to sign, and Local certificate.

To import a PKCS12 certificate:
  1. From the local CA certificate list, select Import. The Import Signing Request or Local CA Certificate window opens.
  2. Select PKCS12 Certificate in the type field.
  3. Enter the following:
    Certificate ID Enter a unique ID for the certificate.
    PKCS12 certificate file (.p12) Select Choose File to locate the certificate file on your computer.
    Passphrase Enter the certificate passphrase.
    Initial Serial Number Select the serial number radix, either Decimal or Hex, and enter the initial serial number in the Initial serial number field.
  4. Select OK to import the certificate.
To import a certificate with a private key:
  1. From the local CA certificate list, select Import. The Import Signing Request or Local CA Certificate window opens.
  2. Select Certificate and Private Key in the type field.
  3. Enter the following:
    Certificate ID Enter a unique ID for the certificate.
    Certificate file (.cer) Select Choose File to locate the certificate file on your computer.
    Private key file Select Choose File to locate the private key file on your computer.
    Passphrase Enter the certificate passphrase.
    Initial Serial Number Select the serial number radix, either Decimal or Hex, and enter the initial serial number in the Initial serial number field.
  4. Select OK to import the certificate.
To import a CSR to sign:
  1. From the local CA certificate list, select Import. The Import Signing Request or Local CA Certificate window opens.
  2. Select CSR to sign in the type field.
  3. Enter the following:
    Certificate ID Enter a unique ID for the certificate.
    CSR file (.csr, .req) Select Choose File to locate the CSR file on your computer.
    Certificate Signing Options
    Certificate authority Select one of the available CAs from the dropdown menu.
    Validity period

    Select the amount of time before this certificate expires.

    Select Set length of time to enter a specific number of days, or select Set an expiry date and enter the specific date on which the certificate expires.

    Hash algorithm Select the hash algorithm from the dropdown menu, either SHA-256 or SHA-1.
    Subject Alternative Name

    SANs allow you to protect multiple host names with a single SSL certificate. SAN is part of the X.509 certificate standard.

    Email Enter the email address of a user to map to this certificate.
    User Principal Name (UPN) Enter the UPN used to find the user’s account in Microsoft Active Directory. This will map the certificate to this specific user. The UPN is unique for the Windows Server domain. This is a form of one-to-one mapping.
    Advanced Options: Key Usages

    Some certificates require the explicit presence of extended key usage attributes before the certificate can be accepted for use.

    For detailed information about these attributes, see End entities.

  4. Select OK to import the CSR.
To import a local CA certificate:
  1. From the local CA certificate list, select Import. The Import Signing Request or Local CA Certificate window opens.
  2. Select Local certificate in the type field.
  3. Select Choose File to locate the certificate file on your computer.
  4. Select OK to import the local CA certificate.

Certificate revocations lists

A certificate revocation list (CRL) is a file that contains a list of revoked certificates, their serial numbers, and their revocation dates. The file also contains the name of the issuer of the CRL, the effective date, and the next update date. By default, the shortest validity period of a CRL is one hour.

Some potential reasons certificates can be revoked include:

  • A CA server was hacked and its certificates are no longer trusted.
  • A single certificate was compromised and is no longer trusted.
  • A certificate has expired and cannot be used past its lifetime.

Go to Certificate Management > Certificate Authorities > CRLs to view the CRL list.

The following information is shown:

Import Import a CRL.
Automatic Downloads Select to view automatically downloaded CRLs. Select View CRLs to switch back to the regular CRL view.
Export Save the selected CRL to your computer.
CA Type The CA type of CRL.
Issuer name The name of the issuer of the CRL.
Subject The CRL’s subject.
Revoked Certificates The number of revoked certificates in the CRL.
To import a CRL:
  1. Download the most recent CRL from a CDP. One or more CDPs are usually listed in a certificate under the Details tab.
  2. From the CRL list, select Import.
  3. Select Choose File to locate the file on your computer, then select OK to import the list.

Note: Before importing a CRL file, make sure that either a local CA certificate or a trusted CA certificate for this CRL has first been imported.

When successful, the CRL is displayed in the CRL list on the FortiAuthenticator. You can select it to see the details (see To view certificate details:).

Locally created CRLs

When you import a CRL, it is from another authority. If you are creating your own CA certificates, you can also create your own CRL to accompany them.

As a CA, you sign user certificates. If for any reason you need to revoke one of those certificates, it will go on a local CRL. When this happens you must export the CRL to all your certificate users so they are aware of the revoked certificate.

To create a local CRL:
  1. Create a local CA certificate. See Local CAs.
  2. Create one or more user certificates. See End entities.
  3. Go to Certificate Management > End Entities > Users, select one or more certificates, and select Revoke. See To revoke a certificate:.
  4. The selected certificates are removed from the user certificate list and a CRL is created with those certificates as entries in the list. If there is already a CRL for the CA that signed the user certificates, the certificates is added to the current CRL.

note icon If later one or more CAs are deleted, their corresponding CRLs will also be deleted, along with any user certificates that they signed.

Configuring OCSP

FortiAuthenticator also supports Online Certificate Status Protocol (OCSP), defined in RFC 2560. To use OCSP, configure the FortiGate unit to use TCP port 2560 on the FortiAuthenticator IP address.

For example, enter the following to configure OCSP on the FortiGate CLI Console, where the url is the IP address of the FortiAuthenticator:

config vpn certificate ocsp-server

edit FortiAuthenticator_ocsp

set cert "REMOTE_Cert_1"

set url "http://172.20.120.16:2560"

end

Trusted CAs

Trusted CA certificates can be used to validate certificates signed by an external CA.

To view the trusted CA certificate list, go to Certificate Management > Certificate Authorities > Trusted CAs.

The certificate ID, subject, issuer, and status are shown. Certificates can be imported, exported, deleted, and searched.

To import a trusted CA certificate:
  1. From the trusted CA certificate list, select Import.
  2. Enter a certificate ID in the Certificate ID field.
  3. Select Choose File to locate the certificate file on your computer, and select OK to import the list.
  4. When successful, the trusted CA certificate is displayed in the list on the FortiAuthenticator device. You can select it to see the details (see To view certificate details:).

Certificate authorities

A certificate authority (CA) is used to sign other server and client certificates. Different CAs can be used for different domains or certificates. For example, if your organization is international you may have a CA for each country, or smaller organizations might have a different CA for each department. The benefits of multiple CAs include redundancy, in case there are problems with one of the well-known trusted authorities.

After you have created a CA certificate, you can export it to your local computer.

Local CAs

The FortiAuthenticator device can act as a self-signed, or local, CA.

To view the certificate information, go to Certificate Management > Certificate Authorities > Local CAs.

The following information in shown:

Create New Create a new CA certificate.
Import Import a CA certificate. See Importing CA certificates and signing requests.
Revoke Revoke the selected CA certificate.
Delete Delete the selected CA certificate.
Export Certificate Save the selected CA certificate to your computer.
Export Key and Cert Save the selected intermediate CA certificate and private key to your computer.
Search Enter a search term in the search field, then press Enter to search the CA certificate list. The search will return certificates that match either the subject or issuer.
Filter Select to filter the displayed CAs by status. The available selections are: All, Pending, Expired, Revoked, and Active.
Certificate ID The CA certificate ID.
Subject The CA certificate subject.
Issuer The issuer of the CA certificate.
Status The status of the CA certificate.
CA Type The CA type of the CA certificate.
To create a CA certificate:
  1. From the local CA certificate list, select Create New. The Create New Local CA Certificate window opens.
  2. Enter the following information:
    Certificate ID Enter a unique ID for the CA certificate.
    Certificate Authority Type
    Certificate type

    Select one of the following options:

    • Root CA certificate: A self-signed CA certificate.
    • Intermediate CA certificate: A CA certificate that refers to a different root CA as the authority.
    • Intermediate CA certificate signing request (CSR)
    Certificate authority

    Select one of the available CAs from the dropdown menu.

    This field is only available when the certificate type is Intermediate CA certificate.

    Subject Information
    Subject input method Select the subject input method, either Fully distinguished name or Field-by-field.
    Subject DN

    If the subject input method is Fully distinguished name, enter the full distinguished name of the subject. There should be no spaces between attributes.

    Valid DN attributes are DC, C, ST, L, O, OU, CN, and emailAddress. They are case-sensitive.

    Name (CN)

    If the subject input method is Field-by-field, enter the subject name in the Name (CN) field, and optionally enter the following fields:

    • Department (OU)
    • Company (O)
    • City (L)
    • State/Province (ST)
    • Country (C) (select from dropdown menu)
    • Email address
    Key and Signing Options
    Validity period

    Select the amount of time before this certificate expires.

    Select Set length of time to enter a specific number of days, or select Set an expiry date and enter the specific date on which the certificate expires.

    This option is not available when the certificate type is set to Intermediate CA certificate signing request (CSR).

    Key type The key type is set to RSA.
    Key size Select the key size from the dropdown menu: 1024, 2048 (set by default), or 4096 bits.
    Hash algorithm Select the hash algorithm from the dropdown menu, either SHA-256 (set by default) or SHA-1.
    Subject Alternative Name

    SANs allow you to protect multiple host names with a single SSL certificate. SAN is part of the X.509 certificate standard.

    This section is not available when the certificate type is Intermediate CA certificate signing request (CSR).

    Email Enter the email address of a user to map to this certificate.
    User Principal Name (UPN) Enter the UPN used to find the user’s account in Microsoft Active Directory. This will map the certificate to this specific user. The UPN is unique for the Windows Server domain. This is a form of one-to-one mapping.
    Advanced Options: Key Usages

    Some certificates require the explicit presence of extended key usage attributes before the certificate can be accepted for use.

    For detailed information about these attributes, see End entities.

    Key Usages
    • Digital Signature
    • Non Repudiation
    • Key Encipherment
    • Data Encipherment
    • Key Agreement
    • Certificate Sign
    • CRL Sign
    • Encipher Only
    • Decipher Only
    Extended Key Usages
    • Server Authentication
    • Client Authentication
    • Code Signing
    • Secure Email
    • OCSP Signing
    • IPSec End System
    • IPSec Tunnel Termination
    • IPSec User
    • IPSec IKE Intermediate (end entity)
    • Time Stamping
    • Microsoft Individual Code Signing
    • Microsoft Commercial Code Signing
    • Microsoft Trust List Signing
    • Microsoft Server Gated Crypto
    • Netscape Server Gated Crypto
    • Microsoft Encrypted File System
    • Microsoft EFS File Recovery
    • Smart Card Logon
    • EAP over PPP
    • EAP over LAN
    • KDC Authentication
    Certificate Revocation List (CRL) Determine the certificate's lifetime before the CA certificate is revoked.
    Lifetime Enter the lifetime of the certificate in days, between 1-365 (maximum of one year). The default is 30.
    Re-generate every Enter how often the certificate will regenerate.
  3. Select OK to create the new CA certificate.

Importing CA certificates and signing requests

Four options are available when importing a certificate or signing request: PKCS12 Certificate, Certificate and Private Key, CSR to sign, and Local certificate.

To import a PKCS12 certificate:
  1. From the local CA certificate list, select Import. The Import Signing Request or Local CA Certificate window opens.
  2. Select PKCS12 Certificate in the type field.
  3. Enter the following:
    Certificate ID Enter a unique ID for the certificate.
    PKCS12 certificate file (.p12) Select Choose File to locate the certificate file on your computer.
    Passphrase Enter the certificate passphrase.
    Initial Serial Number Select the serial number radix, either Decimal or Hex, and enter the initial serial number in the Initial serial number field.
  4. Select OK to import the certificate.
To import a certificate with a private key:
  1. From the local CA certificate list, select Import. The Import Signing Request or Local CA Certificate window opens.
  2. Select Certificate and Private Key in the type field.
  3. Enter the following:
    Certificate ID Enter a unique ID for the certificate.
    Certificate file (.cer) Select Choose File to locate the certificate file on your computer.
    Private key file Select Choose File to locate the private key file on your computer.
    Passphrase Enter the certificate passphrase.
    Initial Serial Number Select the serial number radix, either Decimal or Hex, and enter the initial serial number in the Initial serial number field.
  4. Select OK to import the certificate.
To import a CSR to sign:
  1. From the local CA certificate list, select Import. The Import Signing Request or Local CA Certificate window opens.
  2. Select CSR to sign in the type field.
  3. Enter the following:
    Certificate ID Enter a unique ID for the certificate.
    CSR file (.csr, .req) Select Choose File to locate the CSR file on your computer.
    Certificate Signing Options
    Certificate authority Select one of the available CAs from the dropdown menu.
    Validity period

    Select the amount of time before this certificate expires.

    Select Set length of time to enter a specific number of days, or select Set an expiry date and enter the specific date on which the certificate expires.

    Hash algorithm Select the hash algorithm from the dropdown menu, either SHA-256 or SHA-1.
    Subject Alternative Name

    SANs allow you to protect multiple host names with a single SSL certificate. SAN is part of the X.509 certificate standard.

    Email Enter the email address of a user to map to this certificate.
    User Principal Name (UPN) Enter the UPN used to find the user’s account in Microsoft Active Directory. This will map the certificate to this specific user. The UPN is unique for the Windows Server domain. This is a form of one-to-one mapping.
    Advanced Options: Key Usages

    Some certificates require the explicit presence of extended key usage attributes before the certificate can be accepted for use.

    For detailed information about these attributes, see End entities.

  4. Select OK to import the CSR.
To import a local CA certificate:
  1. From the local CA certificate list, select Import. The Import Signing Request or Local CA Certificate window opens.
  2. Select Local certificate in the type field.
  3. Select Choose File to locate the certificate file on your computer.
  4. Select OK to import the local CA certificate.

Certificate revocations lists

A certificate revocation list (CRL) is a file that contains a list of revoked certificates, their serial numbers, and their revocation dates. The file also contains the name of the issuer of the CRL, the effective date, and the next update date. By default, the shortest validity period of a CRL is one hour.

Some potential reasons certificates can be revoked include:

  • A CA server was hacked and its certificates are no longer trusted.
  • A single certificate was compromised and is no longer trusted.
  • A certificate has expired and cannot be used past its lifetime.

Go to Certificate Management > Certificate Authorities > CRLs to view the CRL list.

The following information is shown:

Import Import a CRL.
Automatic Downloads Select to view automatically downloaded CRLs. Select View CRLs to switch back to the regular CRL view.
Export Save the selected CRL to your computer.
CA Type The CA type of CRL.
Issuer name The name of the issuer of the CRL.
Subject The CRL’s subject.
Revoked Certificates The number of revoked certificates in the CRL.
To import a CRL:
  1. Download the most recent CRL from a CDP. One or more CDPs are usually listed in a certificate under the Details tab.
  2. From the CRL list, select Import.
  3. Select Choose File to locate the file on your computer, then select OK to import the list.

Note: Before importing a CRL file, make sure that either a local CA certificate or a trusted CA certificate for this CRL has first been imported.

When successful, the CRL is displayed in the CRL list on the FortiAuthenticator. You can select it to see the details (see To view certificate details:).

Locally created CRLs

When you import a CRL, it is from another authority. If you are creating your own CA certificates, you can also create your own CRL to accompany them.

As a CA, you sign user certificates. If for any reason you need to revoke one of those certificates, it will go on a local CRL. When this happens you must export the CRL to all your certificate users so they are aware of the revoked certificate.

To create a local CRL:
  1. Create a local CA certificate. See Local CAs.
  2. Create one or more user certificates. See End entities.
  3. Go to Certificate Management > End Entities > Users, select one or more certificates, and select Revoke. See To revoke a certificate:.
  4. The selected certificates are removed from the user certificate list and a CRL is created with those certificates as entries in the list. If there is already a CRL for the CA that signed the user certificates, the certificates is added to the current CRL.

note icon If later one or more CAs are deleted, their corresponding CRLs will also be deleted, along with any user certificates that they signed.

Configuring OCSP

FortiAuthenticator also supports Online Certificate Status Protocol (OCSP), defined in RFC 2560. To use OCSP, configure the FortiGate unit to use TCP port 2560 on the FortiAuthenticator IP address.

For example, enter the following to configure OCSP on the FortiGate CLI Console, where the url is the IP address of the FortiAuthenticator:

config vpn certificate ocsp-server

edit FortiAuthenticator_ocsp

set cert "REMOTE_Cert_1"

set url "http://172.20.120.16:2560"

end

Trusted CAs

Trusted CA certificates can be used to validate certificates signed by an external CA.

To view the trusted CA certificate list, go to Certificate Management > Certificate Authorities > Trusted CAs.

The certificate ID, subject, issuer, and status are shown. Certificates can be imported, exported, deleted, and searched.

To import a trusted CA certificate:
  1. From the trusted CA certificate list, select Import.
  2. Enter a certificate ID in the Certificate ID field.
  3. Select Choose File to locate the certificate file on your computer, and select OK to import the list.
  4. When successful, the trusted CA certificate is displayed in the list on the FortiAuthenticator device. You can select it to see the details (see To view certificate details:).