Fortinet black logo

Cookbook

Install certificates

Copy Link
Copy Doc ID 502fabff-dbf1-11ea-96b9-00505692583a:138447
Download PDF

Install certificates

To install a wildcard certificate on FortiAuthenticator:
  1. Go to Certificate Management > Certificate Authorities > Trusted CA.
    Import a trusted root/intermediate public CA certificate in order to support your wildcard certificate.
  2. In Certificate Management > End Entities > Local Services, click Import, select Certificate and Private Key, and import your domain wildcard certificate as *domainname. For example, *fortixpert.com.
To generate a Certificate Signing Request (optional):

The following steps are optional and can be done if the server certificate matching the FortiAuthenticator FQDN is not yet available.

  1. In Certificate Management > End Entities > Local Services, select the Create New button.
    Configure the following settings:
    1. Under Create New Server Certificate, set the Certificate ID to your certificate name, for example, fac.fortixpert.com.
    2. Under Subject Information, configure the Name, Department, Company, City, State/Province, Country and Email Address for your certificate.
    3. (Optional) If you are using a self-signed certificate on FortiAuthenticator, add a Subject Alternative Name (SAN) matching the FQDN under Subject Alternative Name.
    4. (Optional) Under Advanced Options: Key Usages, choose all Key Usages and Extended Key Usages.
    5. All other fields can be left in their default state. Click OK to save your changes.
  2. Export the pending CSR by selecting the pending entry and then clicking Export Certificate. Use the downloaded certificate-name.csr file to obtain a certificate from a public CA.
  3. Import the signed certificate file from the public CA by selecting Import and uploading the certificatename.cer file.
To install local service certificates:

  1. Go to Certificate Management > Certificate Authorities > Trusted CA.
    Upload the trusted root/intermediate public CA certificates in order to support your host/server certificate.
  2. Under Certificate Management > End Entities > Local Services, Import your publicly signed host/server certificate matching the FQDN (i.e. fac.fortixpert.com) along with the matching private key.
  3. Under System > Administration > System Access > GUI Access, configure the following:
    1. For HTTPS Certificate, select the server certificate matching the device FQDN from the dropdown box.
    2. For CA Certificate, select the Root CA certificate that was used to sign the host/server certificate selected above.
  4. Select OK.

Install certificates

To install a wildcard certificate on FortiAuthenticator:
  1. Go to Certificate Management > Certificate Authorities > Trusted CA.
    Import a trusted root/intermediate public CA certificate in order to support your wildcard certificate.
  2. In Certificate Management > End Entities > Local Services, click Import, select Certificate and Private Key, and import your domain wildcard certificate as *domainname. For example, *fortixpert.com.
To generate a Certificate Signing Request (optional):

The following steps are optional and can be done if the server certificate matching the FortiAuthenticator FQDN is not yet available.

  1. In Certificate Management > End Entities > Local Services, select the Create New button.
    Configure the following settings:
    1. Under Create New Server Certificate, set the Certificate ID to your certificate name, for example, fac.fortixpert.com.
    2. Under Subject Information, configure the Name, Department, Company, City, State/Province, Country and Email Address for your certificate.
    3. (Optional) If you are using a self-signed certificate on FortiAuthenticator, add a Subject Alternative Name (SAN) matching the FQDN under Subject Alternative Name.
    4. (Optional) Under Advanced Options: Key Usages, choose all Key Usages and Extended Key Usages.
    5. All other fields can be left in their default state. Click OK to save your changes.
  2. Export the pending CSR by selecting the pending entry and then clicking Export Certificate. Use the downloaded certificate-name.csr file to obtain a certificate from a public CA.
  3. Import the signed certificate file from the public CA by selecting Import and uploading the certificatename.cer file.
To install local service certificates:

  1. Go to Certificate Management > Certificate Authorities > Trusted CA.
    Upload the trusted root/intermediate public CA certificates in order to support your host/server certificate.
  2. Under Certificate Management > End Entities > Local Services, Import your publicly signed host/server certificate matching the FQDN (i.e. fac.fortixpert.com) along with the matching private key.
  3. Under System > Administration > System Access > GUI Access, configure the following:
    1. For HTTPS Certificate, select the server certificate matching the device FQDN from the dropdown box.
    2. For CA Certificate, select the Root CA certificate that was used to sign the host/server certificate selected above.
  4. Select OK.