Certificate authorities
A certificate authority (CA) is used to sign other server and client certificates. Different CAs can be used for different domains or certificates. For example, if your organization is international you may have a CA for each country, or smaller organizations might have a different CA for each department. The benefits of multiple CAs include redundancy, in case there are problems with one of the well-known trusted authorities.
After you have created a CA certificate, you can export it to your local computer.
Local CAs
The FortiAuthenticator device can act as a self-signed, or local, CA.
To view the certificate information, go to Certificate Management > Certificate Authorities > Local CAs.
The following information in shown:
Create New | Create a new CA certificate. |
Import | Import a CA certificate. See Importing CA certificates and signing requests. |
Revoke | Revoke the selected CA certificate. |
Delete | Delete the selected CA certificate. |
Export Certificate | Save the selected CA certificate to your computer. |
Export Key and Cert | Save the selected intermediate CA certificate and private key to your computer. |
Search | Enter a search term in the search field, then press Enter to search the CA certificate list. The search will return certificates that match either the subject or issuer. |
Filter | Select to filter the displayed CAs by status. The available selections are: All, Pending, Expired, Revoked, and Active. |
Certificate ID | The CA certificate ID. |
Subject | The CA certificate subject. |
Issuer | The issuer of the CA certificate. |
Status | The status of the CA certificate. |
CA Type | The CA type of the CA certificate. |
To create a CA certificate:
- From the local CA certificate list, select Create New. The Create New Local CA Certificate window opens.
- Enter the following information:
Certificate ID Enter a unique ID for the CA certificate. Certificate Authority Type Certificate type Select one of the following options:
Certificate authority Select one of the available CAs from the dropdown menu.
This field is only available when the certificate type is Intermediate CA certificate.
Subject Information Subject input method Select the subject input method, either Fully distinguished name or Field-by-field. Subject DN If the subject input method is Fully distinguished name, enter the full distinguished name of the subject. There should be no spaces between attributes.
Valid DN attributes are DC, C, ST, L, O, OU, CN, and emailAddress. They are case-sensitive.
Name (CN) If the subject input method is Field-by-field, enter the subject name in the Name (CN) field, and optionally enter the following fields:
- Department (OU)
- Company (O)
- City (L)
- State/Province (ST)
- Country (C) (select from dropdown menu)
- Email address
Key and Signing Options Validity period Select the amount of time before this certificate expires.
Select Set length of time to enter a specific number of days, or select Set an expiry date and enter the specific date on which the certificate expires.
This option is not available when the certificate type is set to Intermediate CA certificate signing request (CSR).
Key type The key type is set to RSA. Key size Select the key size from the dropdown menu: 1024, 2048 (set by default), or 4096 bits. Hash algorithm Select the hash algorithm from the dropdown menu, either SHA-256 (set by default) or SHA-1. Subject Alternative Name SANs allow you to protect multiple host names with a single SSL certificate. SAN is part of the X.509 certificate standard.
This section is not available when the certificate type is Intermediate CA certificate signing request (CSR).
Email Enter the email address of a user to map to this certificate. User Principal Name (UPN) Enter the UPN used to find the user’s account in Microsoft Active Directory. This will map the certificate to this specific user. The UPN is unique for the Windows Server domain. This is a form of one-to-one mapping. Advanced Options: Key Usages Some certificates require the explicit presence of extended key usage attributes before the certificate can be accepted for use.
For detailed information about these attributes, see End entities.
Key Usages - Digital Signature
- Non Repudiation
- Key Encipherment
- Data Encipherment
- Key Agreement
- Certificate Sign
- CRL Sign
- Encipher Only
- Decipher Only
Extended Key Usages - Server Authentication
- Client Authentication
- Code Signing
- Secure Email
- OCSP Signing
- IPSec End System
- IPSec Tunnel Termination
- IPSec User
- IPSec IKE Intermediate (end entity)
- Time Stamping
- Microsoft Individual Code Signing
- Microsoft Commercial Code Signing
- Microsoft Trust List Signing
- Microsoft Server Gated Crypto
- Netscape Server Gated Crypto
- Microsoft Encrypted File System
- Microsoft EFS File Recovery
- Smart Card Logon
- EAP over PPP
- EAP over LAN
- KDC Authentication
Certificate Revocation List (CRL) Determine the certificate's lifetime before the CA certificate is revoked. Lifetime Enter the lifetime of the certificate in days, between 1-365 (maximum of one year). The default is 30. Re-generate every Enter how often the certificate will regenerate. - Select OK to create the new CA certificate.
Importing CA certificates and signing requests
Four options are available when importing a certificate or signing request: PKCS12 Certificate, Certificate and Private Key, CSR to sign, and Local certificate.
To import a PKCS12 certificate:
- From the local CA certificate list, select Import. The Import Signing Request or Local CA Certificate window opens.
- Select PKCS12 Certificate in the type field.
- Enter the following:
- Select OK to import the certificate.
To import a certificate with a private key:
- From the local CA certificate list, select Import. The Import Signing Request or Local CA Certificate window opens.
- Select Certificate and Private Key in the type field.
- Enter the following:
- Select OK to import the certificate.
To import a CSR to sign:
- From the local CA certificate list, select Import. The Import Signing Request or Local CA Certificate window opens.
- Select CSR to sign in the type field.
- Enter the following:
Certificate ID Enter a unique ID for the certificate. CSR file (.csr, .req) Select Choose File to locate the CSR file on your computer. Certificate Signing Options Certificate authority Select one of the available CAs from the dropdown menu. Validity period Select the amount of time before this certificate expires.
Select Set length of time to enter a specific number of days, or select Set an expiry date and enter the specific date on which the certificate expires.
Hash algorithm Select the hash algorithm from the dropdown menu, either SHA-256 or SHA-1. Subject Alternative Name SANs allow you to protect multiple host names with a single SSL certificate. SAN is part of the X.509 certificate standard.
Email Enter the email address of a user to map to this certificate. User Principal Name (UPN) Enter the UPN used to find the user’s account in Microsoft Active Directory. This will map the certificate to this specific user. The UPN is unique for the Windows Server domain. This is a form of one-to-one mapping. Advanced Options: Key Usages Some certificates require the explicit presence of extended key usage attributes before the certificate can be accepted for use.
For detailed information about these attributes, see End entities.
- Select OK to import the CSR.
To import a local CA certificate:
- From the local CA certificate list, select Import. The Import Signing Request or Local CA Certificate window opens.
- Select Local certificate in the type field.
- Select Choose File to locate the certificate file on your computer.
- Select OK to import the local CA certificate.
Certificate revocations lists
A certificate revocation list (CRL) is a file that contains a list of revoked certificates, their serial numbers, and their revocation dates. The file also contains the name of the issuer of the CRL, the effective date, and the next update date. By default, the shortest validity period of a CRL is one hour.
Some potential reasons certificates can be revoked include:
- A CA server was hacked and its certificates are no longer trusted.
- A single certificate was compromised and is no longer trusted.
- A certificate has expired and cannot be used past its lifetime.
Go to Certificate Management > Certificate Authorities > CRLs to view the CRL list.
The following information is shown:
To import a CRL:
- Download the most recent CRL from a CDP. One or more CDPs are usually listed in a certificate under the Details tab.
- From the CRL list, select Import.
- Select Choose File to locate the file on your computer, then select OK to import the list.
Note: Before importing a CRL file, make sure that either a local CA certificate or a trusted CA certificate for this CRL has first been imported.
When successful, the CRL is displayed in the CRL list on the FortiAuthenticator. You can select it to see the details (see To view certificate details:).
Locally created CRLs
When you import a CRL, it is from another authority. If you are creating your own CA certificates, you can also create your own CRL to accompany them.
As a CA, you sign user certificates. If for any reason you need to revoke one of those certificates, it will go on a local CRL. When this happens you must export the CRL to all your certificate users so they are aware of the revoked certificate.
To create a local CRL:
- Create a local CA certificate. See Local CAs.
- Create one or more user certificates. See End entities.
- Go to Certificate Management > End Entities > Users, select one or more certificates, and select Revoke. See To revoke a certificate:.
The selected certificates are removed from the user certificate list and a CRL is created with those certificates as entries in the list. If there is already a CRL for the CA that signed the user certificates, the certificates is added to the current CRL.
If later one or more CAs are deleted, their corresponding CRLs will also be deleted, along with any user certificates that they signed. |
Configuring OCSP
FortiAuthenticator also supports Online Certificate Status Protocol (OCSP), defined in RFC 2560. To use OCSP, configure the FortiGate unit to use TCP port 2560 on the FortiAuthenticator IP address.
For example, enter the following to configure OCSP on the FortiGate CLI Console, where the url is the IP address of the FortiAuthenticator:
config vpn certificate ocsp-server
edit FortiAuthenticator_ocsp
set cert "REMOTE_Cert_1"
set url "http://172.20.120.16:2560"
end
Trusted CAs
Trusted CA certificates can be used to validate certificates signed by an external CA.
To view the trusted CA certificate list, go to Certificate Management > Certificate Authorities > Trusted CAs.
The certificate ID, subject, issuer, and status are shown. Certificates can be imported, exported, deleted, and searched.
To import a trusted CA certificate:
- From the trusted CA certificate list, select Import.
- Enter a certificate ID in the Certificate ID field.
- Select Choose File to locate the certificate file on your computer, and select OK to import the list.
When successful, the trusted CA certificate is displayed in the list on the FortiAuthenticator device. You can select it to see the details (see To view certificate details:).