Fortinet black logo

Cookbook

Certificate management

Copy Link
Copy Doc ID 52c06fe2-eb01-11eb-97f7-00505692583a:781355
Download PDF

Certificate management

During the authentication process, the SAML SP and IdP must verify each other. This means that they must verify certificates on both ends. Since the local CA manages the SAML certificates on the FortiAuthenticator, it has the certificates necessary for its configurations. To complete its configuration, the SAML SP certificate and SAML IdP certificate must be exported and loaded onto the FortiGate.

Furthermore, in this scenario, the CA on the FortiAuthenticator will also sign the SSL VPN certificate used by the FortiGate. This certificate must also be exported and loaded on the FortiGate.

Configuring the local CA on FortiAuthenticator

To configure a local CA on FortiAuthenticator:
  1. Go to Certificate Management > Certificate Authorities > Local CAs and select Create New.

    The Create New Local CA Certificate window opens.

  2. In Certificate ID, enter a unique ID for the CA.
  3. In the Subject Information pane, enter the necessary subject information to identify the CA.
  4. Click OK.

To export the created local CA:
  1. Go to Certificate Management > Certificate Authorities > Local CAs.
  2. From the local CA certificate list, select the local root CA created in Configuring a local root CA, and select Export Certificate to export the CA certificate in .crt format. This certificate is then imported on the client endpoint later.

Generating the certificates on FortiAuthenticator

To generate a user certificate for the FortiGate SAML SP on FortiAuthenticator:
  1. Go to Certificate Management > End Entities > Users and select Create New.
  2. In Certificate ID, enter a unique ID for the certificate.
  3. Ensure that the Issuer is Local CA.
  4. In Certificate authority dropdown, select the previously created local CA. See Configuring a local root CA.
  5. In the Subject Information pane, enter the necessary subject information to identify the user certificate.
  6. Click OK.

To export the user certificate:
  1. Go to Certificate Management > End Entities > Users.
  2. From the users list, select the user certificate created in Configuring a user certificate, and select Export Key and Cert to export the user certificate in .p12 format.
  3. Enter a password to secure the key.
To generate a server certificate for the SAML IdP on FortiAuthenticator:
  1. Go to Certificate Management > End Entities > Local Services and select Create New.
  2. In Certificate ID, enter a unique ID for the certificate.
  3. In Certificate authority dropdown, select the previously created local CA.

    See Configuring a local root CA.

  4. In the Subject Information pane, enter the necessary subject information to identify the server certificate.
  5. Click OK.

To export the server certificate:
  1. Go to Certificate Management > End Entities > Local Services.
  2. From the local services list, select the server certificate created in Configuring a server certificate, and select Export Certificate to export the certificate in .cer format.
To create and sign a user certificate for FortiGate SSL VPN web portal:
  1. On FortiGate, go to System > Certificate, and from the Create/Import dropdown, select Generate CSR.
  2. 2. Enter the Certificate Name, Subject Information and any Optional Information such as a Subject Alternative Name.

  3. Click OK.

  4. On the Certificates list page, select the user certificate you have created under Local Certificate.
  5. Click Download to download the CSR file.
  6. On FortiAuthenticator, go to Certificate Management > End Entities > Users, and click Import.
  7. Enter a certificate Id.
  8. Select Upload a file to locate and upload the CSR file created from the FortiGate.
  9. In the Certificate authority dropdown, select the certificate authority created earlier. See Configuring a local root CA.
  10. Click OK.

  11. In Certificate Management > End Entities > Users, select the above certificate.
  12. Click Export Certificate to export a .cer file.

Importing certificates on FortiGate

  1. On FortiGate, go to System > Certificates, and from the Create/Import dropdown, select Certificate.
  2. In the Create Certificate window, select Import Certificate in the Import Certificate pane.
  3. In Type, select PKCS #12 Certificate.
  4. In Certificate with key file, select Upload, locate and then upload the .p12 user certificate with key file from your computer, and enter the password.

    See Exporting user certificate.

  5. Click Create.

    On the certificates list page, the new certificate is available in Local Certificate.

To import the SAML IdP remote certificate:
  1. On FortiGate, go to System > Certificates, and from the Create/Import dropdown, select Remote Certificate.
  2. Select Upload to locate and upload the .cer remote certificate from your computer.
  3. Click OK.
  4. On the certificates list page, the new certificate is now available in Remote Certificate.

To import the user certificate for the FortiGate SSL VPN portal
  1. On FortiGate, go to System > Certificates, and from the Create/Import dropdown, select Certificate.
  2. Select Import Certificate to locate the .cer user certificate file from your computer.
  3. Click Create.

    On the certificates list page, the new certificate is now available in Local Certificate.

Certificate management

During the authentication process, the SAML SP and IdP must verify each other. This means that they must verify certificates on both ends. Since the local CA manages the SAML certificates on the FortiAuthenticator, it has the certificates necessary for its configurations. To complete its configuration, the SAML SP certificate and SAML IdP certificate must be exported and loaded onto the FortiGate.

Furthermore, in this scenario, the CA on the FortiAuthenticator will also sign the SSL VPN certificate used by the FortiGate. This certificate must also be exported and loaded on the FortiGate.

Configuring the local CA on FortiAuthenticator

To configure a local CA on FortiAuthenticator:
  1. Go to Certificate Management > Certificate Authorities > Local CAs and select Create New.

    The Create New Local CA Certificate window opens.

  2. In Certificate ID, enter a unique ID for the CA.
  3. In the Subject Information pane, enter the necessary subject information to identify the CA.
  4. Click OK.

To export the created local CA:
  1. Go to Certificate Management > Certificate Authorities > Local CAs.
  2. From the local CA certificate list, select the local root CA created in Configuring a local root CA, and select Export Certificate to export the CA certificate in .crt format. This certificate is then imported on the client endpoint later.

Generating the certificates on FortiAuthenticator

To generate a user certificate for the FortiGate SAML SP on FortiAuthenticator:
  1. Go to Certificate Management > End Entities > Users and select Create New.
  2. In Certificate ID, enter a unique ID for the certificate.
  3. Ensure that the Issuer is Local CA.
  4. In Certificate authority dropdown, select the previously created local CA. See Configuring a local root CA.
  5. In the Subject Information pane, enter the necessary subject information to identify the user certificate.
  6. Click OK.

To export the user certificate:
  1. Go to Certificate Management > End Entities > Users.
  2. From the users list, select the user certificate created in Configuring a user certificate, and select Export Key and Cert to export the user certificate in .p12 format.
  3. Enter a password to secure the key.
To generate a server certificate for the SAML IdP on FortiAuthenticator:
  1. Go to Certificate Management > End Entities > Local Services and select Create New.
  2. In Certificate ID, enter a unique ID for the certificate.
  3. In Certificate authority dropdown, select the previously created local CA.

    See Configuring a local root CA.

  4. In the Subject Information pane, enter the necessary subject information to identify the server certificate.
  5. Click OK.

To export the server certificate:
  1. Go to Certificate Management > End Entities > Local Services.
  2. From the local services list, select the server certificate created in Configuring a server certificate, and select Export Certificate to export the certificate in .cer format.
To create and sign a user certificate for FortiGate SSL VPN web portal:
  1. On FortiGate, go to System > Certificate, and from the Create/Import dropdown, select Generate CSR.
  2. 2. Enter the Certificate Name, Subject Information and any Optional Information such as a Subject Alternative Name.

  3. Click OK.

  4. On the Certificates list page, select the user certificate you have created under Local Certificate.
  5. Click Download to download the CSR file.
  6. On FortiAuthenticator, go to Certificate Management > End Entities > Users, and click Import.
  7. Enter a certificate Id.
  8. Select Upload a file to locate and upload the CSR file created from the FortiGate.
  9. In the Certificate authority dropdown, select the certificate authority created earlier. See Configuring a local root CA.
  10. Click OK.

  11. In Certificate Management > End Entities > Users, select the above certificate.
  12. Click Export Certificate to export a .cer file.

Importing certificates on FortiGate

  1. On FortiGate, go to System > Certificates, and from the Create/Import dropdown, select Certificate.
  2. In the Create Certificate window, select Import Certificate in the Import Certificate pane.
  3. In Type, select PKCS #12 Certificate.
  4. In Certificate with key file, select Upload, locate and then upload the .p12 user certificate with key file from your computer, and enter the password.

    See Exporting user certificate.

  5. Click Create.

    On the certificates list page, the new certificate is available in Local Certificate.

To import the SAML IdP remote certificate:
  1. On FortiGate, go to System > Certificates, and from the Create/Import dropdown, select Remote Certificate.
  2. Select Upload to locate and upload the .cer remote certificate from your computer.
  3. Click OK.
  4. On the certificates list page, the new certificate is now available in Remote Certificate.

To import the user certificate for the FortiGate SSL VPN portal
  1. On FortiGate, go to System > Certificates, and from the Create/Import dropdown, select Certificate.
  2. Select Import Certificate to locate the .cer user certificate file from your computer.
  3. Click Create.

    On the certificates list page, the new certificate is now available in Local Certificate.