Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiAuthenticator 6.5.1 Administration Guide
    6.5.1
    6.6.2
    6.6.1
    6.6.0
    6.5.5
    6.5.4
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.2
    6.2.1
    6.2.0
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.5.0
    5.4.0
    5.3.0
    5.2.0
    5.1.0
    5.0.0
    4.3.0
    4.2.1
    4.2.0

    End entities

    End entities

    User and server certificates are required for mutual authentication on many HTTPS, SSL, and IPsec VPN network resources. You can create a user certificate on the FortiAuthenticator device, or import and sign a CSR. User certificates, client certificates, or local computer certificates are all the same type of certificate.

    To view the user certificate list, go to Certificate Management > End Entities > Users. To view the server certificate list, go to Certificate Management > End Entities > Local Services.

    The following information is available:

    Create New Create a new certificate.
    Import Select to import a certificate signed by a third-party CA for a previously generated CSR (see To import a local user certificate: and To import a server certificate:) or to import a CSR to sign (see To import a CSR to sign:).
    Revoke Revoke the selected certificate. See To revoke a certificate:.
    Delete Delete the selected certificate.
    Export Certificate Save the selected certificate to your computer.
    Export Key and Cert Export the PKCS#12. This is only available for user certificates.
    Search Enter a search term in the search field, then press Enter to search the certificate list.
    Filter

    Select to filter the displayed certificates by status. The available selections are: Active and Pending, Pending, Pending, Expired, Revoked, Active, and All.

    By default, only valid (active and pending) certificates are shown.
    Certificate ID The certificate ID.
    Subject The certificate’s subject.
    Issuer The issuer of the certificate.
    Status The status of the certificate.

    Expiry

    The expiration date of the certificate.

    Certificates can be created, imported, exported, revoked, and deleted as required. CSRs can be imported to sign, and the certificate detail information can also be viewed, see To view certificate details:.

    To create a new certificate:
    1. To create a new user certificate, go to Certificate Management > End Entities > Users. To create a new server certificate, go to Certificate Management > End Entities > Local Services.
    2. Select Create New to open the Create New User Certificate or Create New Server Certificate window.

    3. Configure the following settings:
      Certificate IDEnter a unique ID for the certificate.
      Certificate Signing Options
      Issuer

      Select the issuer of the certificate, either Local CA or Third-party CA. Selecting Third-party CA generates a CSR that is to be signed by a third-party CA.

      Note: When creating a server certificate, an additional Automated option is also available. Selecting Automated allows you to automatically create a certificate using the ACME protocol with Let's Encrypt service.

      Acme service URL

      The ACME service URL.

      Note: The option is only available when the Issuer is Automated.

      Certificate authority

      If Local CA is selected as the issuer, select one of the available CAs configured on FortiAuthenticator from the dropdown menu.

      The CA must be valid and current. If it is not you will have to create or import a CA certificate before continuing. See Certificate authorities.

      Local User (Optional)

      If Local CA is selected as the issuer, you may select a local user from the dropdown menu to whom the certificate will apply.

      Note: The option is only available when creating a new user certificate.

      Subject Information
      Subject input methodSelect the subject input method, either Fully distinguished name or Field-by-field.
      Subject DN

      If the subject input method is Fully distinguished name, enter the full distinguished name of the subject. There should be no spaces between attributes.

      Valid DN attributes are DC, C, ST, L, O, OU, CN, and emailAddress. They are case-sensitive.

      Name (CN)

      If the subject input method is Field-by-field, enter the subject name in the Name (CN) field, and optionally fill-in the following fields:

      • Department (OU)
      • Company (O)
      • City (L)
      • State/Province (ST)
      • Country (C) (select from dropdown menu)
      • Email address

      Note: When creating a server certificate, if the Issuer is Automated, then only Name(CN) and Email address options are available.

      Key and Signing Options
      Validity period

      Select the amount of time before this certificate expires. This validity period option is only available when Issuer is set to Local CA.

      Select Set length of time to enter a specific number of days, or select Set an expiry date to enter the specific date on which the certificate expires.

      Note: The option is not available when creating a server certificate if the Issuer is Automated.

      Key typeThe key type is set to RSA.
      Key size

      Select the key size from the dropdown menu, either 1024, 2048, or 4096 bits.

      Note: Only 2048 and 4096 bits are available when creating a server certificate if the Issuer is Automated.

      Hash algorithm

      Select the hash algorithm from the dropdown menu, either SHA-256 or SHA-1.

      Note: Only SHA-256 is available when creating a server certificate if the Issuer is Automated.

      Subject Alternative Name

      Subject alternative names (SAN) allow you to protect multiple host names with a single SSL certificate. SAN is part of the X.509 certificate standard.

      For example, SANs are used to protect multiple domain names such as www.example.com and www.example.net, in contrast to wildcard certificates that only protect all first-level subdomains on one domain, such as *.example.com.

      Note: The options in the pane are not available when creating a server certificate if the Issuer is Automated.

      EmailEnter the email address of a user to map to this certificate.
      User Principal Name (UPN)Enter the UPN used to find the user’s account in Microsoft Active Directory. This will map the certificate to this specific user. The UPN is unique for the Windows Server domain. This is a form of one-to-one mapping.
      URIEnter the URI used to validate certificates.
      DNSEnter the DNS used to validate and sign the imported CSR.
      Other Extensions

      This option is only available when creating a new user certificate, and when Issuer is set to Local CA.

      Note: The options in the pane are not available when creating a server certificate if the Issuer is Automated.

      Edit device FQDN

      Select to edit the device FQDN.

      Add CRL Distribution Points extension

      (Location: Device FQDN has not been configured)

      Select to add CRL distribution points extension to the certificate.

      A DNS domain name must be configured. If it has not been, select Edit DNS name to configure one. See DNS.

      Note: After a certificate is issued with this extension, the server must be able to handle the CRL request at the specified location.

      Add OCSP Responder URL

      (Location: Device FQDN has not been configured)

      		Enable Online Certificate Status Protocol (OCSP) to obtain the revocation status of a certificate.
      Use certificate for Smart Card logon

      Select to use the certificate for smart card logon.

      Enabling this setting will automatically enable Add CRL Distribution Points extension.

      Note: The option is only available when creating a user certificate.

      Advanced Options: Key Usages

      Some certificates require the explicit presence of key usage attributes before the certificate can be accepted for use.

      Note: The options in the pane are not available when creating a server certificate if the Issuer is Automated.

      Digital Signature A high-integrity signature that assures the recipient that a message was not altered in transit
      Non Repudiation An authentication that is deemed as genuine with high assurance.
      Key EnciphermentUses the public key to encrypt private or secret keys.
      Data EnciphermentUses the public key to encrypt data.
      Key AgreementAn interactive method for multiple parties to establish a cryptographic key, based on prior knowledge of a password.
      Certificate SignA message from an applicant to a certificate authority in order to apply for a digital identity certificate.
      CRL SignA Certificate Revocation List (CRL) Sign states a validity period for an issued certificate.
      Encipher OnlyInformation is converted into code only.
      Decipher OnlyCode is converted into information only.
      Advanced Options: Extended Key Usages

      Some certificates require the explicit presence of extended key usage attributes before the certificate can be accepted for use.

      Note: The options in the pane are not available when creating a server certificate if the Issuer is Automated.

      Server AuthenticationAuthentication will only be granted when the user submits their credentials to the server.
      Client AuthenticationAuthentication is granted to the server by exchanging a client certificate.
      Code SigningUsed to confirm the software author, and guarantees that the code has not been altered or corrupted through use of a cryptographic hash.
      Secure EmailA secure email sent over SSL encryption.
      OCSP Signing Online Certificate Status Protocol (OCSP) Signing sends a request to the server for certificate status information. The server will send back a response of "current", "expired", or "unknown". OCSP permits a grace period to users or are expired, allowing them a limited time period to renew. This is typically used over CRL.
      IPSec End System
      IPSec Tunnel TerminationIPsec Security Associations (SAs) are terminated through deletion or by timing out
      IPSec User
      IPSec IKE Intermediate (end entity)An intermediate certificate is a subordinate certificate issued by a trusted root specifically to issue end-entity certificates. The result is a certificate chain that begins at the trusted root CA, through the intermediate CA (or CAs) and ending with the SSL certificate issued to you.
      Time Stamping
      Microsoft Individual Code SigningUser submits information that is compared to an independent consumer database to validate their credentials.
      Microsoft Commercial Code SigningUser submits information that proves their identity as corporate representatives.
      Microsoft Trust List SigningUses a certificate trust list (CTL), a list of hashes of certificates. The list is comprised of pre-authenticated items that were approved by a trusted signing entity.
      Microsoft Server Gated Crypto
      		A defunct mechanism that stepped up 40-bit and 50-bit to 128-bit cipher suites with SSL.
      Netscape Server Gated CryptoA defunct mechanism that stepped up 40-bit and 50-bit to 128-bit cipher suites with SSL.
      Microsoft Encrypted File SystemThe Encrypted File System (EFS) enables files to be transparently encrypted to protect confidential data.
      Microsoft EFS File RecoveryThe certificate is granted on the condition it has an EFS file recovery agent prepared.
      Smart Card LogonThe certificate is granted on the condition that the user logs on to the network with a smart card.
      EAP over PPPExtensible Authentication Protocol (EAP) will operate within a Point-to-Point Protocol (PPP) framework.
      EAP over LANEAP will operate within a Local Area Network (LAN) framework.
      KDC AuthenticationAn authentication server forwards usernames to a key distribution center (KDC), which issues an encrypted, time-stamped ticket back to the user.
    4. Select OK to create the new certificate.
    To import a local user certificate:

    FortiAuthenticator only supports certificates signed with RSA.

    FortiAuthenticator does not support certificates signed with the Elliptic Curve.
    1. Go to Certificate Management > End Entities > Users and select Import.
    2. For Type, select Local certificate.
    3. Select Choose File to locate the certificate file on your computer.
    4. Select OK to import the certificate.
    To import a server certificate:
    1. Go to Certificate Management > End Entities > Local Services and select Import.
    2. Select Choose File to locate the certificate file on your computer.
    3. Select OK to import the certificate.
    To import a CSR to sign:
    1. Go to Certificate Management > End Entities > Users and select Import.
    2. For Type, select CSR to sign.

    3. Configure the following settings:
      Certificate IDEnter a unique ID for the certificate.
      CSR file (.csr, .req)Select Choose File then locate the CSR file on your computer.
      Certificate Signing Options
      Certificate authority

      Select one of the available CAs configured on the FortiAuthenticator from the dropdown menu.

      The CA must be valid and current. If it is not you will have to create or import a CA certificate before continuing. See Certificate authorities.

      Validity period

      Select the amount of time before this certificate expires.

      Select Set length of time to enter a specific number of days, or select Set an expiry date and enter the specific date on which the certificate expires

      Hash algorithmSelect the hash algorithm from the dropdown menu, either SHA-256 or SHA-1.
      Subject Alternative Name
      EmailEnter the email address of a user to map to this certificate.
      User Principal Name (UPN)Enter the UPN used to find the user’s account in Microsoft Active Directory. This will map the certificate to this specific user. The UPN is unique the Windows Server domain. This is a form of one-to-one mapping.
      Other Extensions
      Add CRL Distribution Points extension

      Select to add CRL distribution points extension to the certificate.

      A DNS domain name must be configured. If it has not been, select Edit DNS name to configure one. See DNS.

      Note: After a certificate is issued with this extension, the server must be able to handle the CRL request at the specified location.

      Add OCSP Responder URLEnable Online Certificate Status Protocol (OCSP) to obtain the revocation status of a certificate.
      Use certificate for Smart Card logon

      Select to use the certificate for smart card logon.

      Enabling this setting will automatically enable Add CRL Distribution Points extension.

      Advanced Options: Key Usages and Extended Key Usages

      Some certificates require the explicit presence of key usage attributes before the certificate can be accepted for use.

      Same settings available as when creating a new user certificate (see above).

    4. Select OK to import the CSR.
    To revoke a certificate:
    1. Go to Certificate Management > End Entities > Users or to Certificate Management > End Entities > Local Services.
    2. Select the certificate you want to revoke and select Revoke.
    3. Select a reason for revoking the certificate from the Reason code dropdown menu. The reasons available are:
      • Unspecified
      • Key has been compromised
      • CA has been compromised
      • Changes in affiliation
      • Superseded
      • Operation ceased
      • On Hold

      4. Some of these reasons are security related (such as a compromised key or CA), while others are more business related. A Change in affiliation could be an employee leaving the company, while Operation ceased could be a project that was canceled.

    4. Select OK to revoke the certificate.
    To view certificate details:

    From the certificate list, select a certificate ID to open the Certificate Detail Information window.

    Select Edit next to the Certificate ID field to change the certificate ID. If any of this information is out of date or incorrect, you will not be able to use this certificate. If this is the case, delete the certificate and re-enter the information in a new certificate, see To create a new certificate:. Select Close to return to the certificate list.

    Previous
    Next

    End entities

    End entities

    User and server certificates are required for mutual authentication on many HTTPS, SSL, and IPsec VPN network resources. You can create a user certificate on the FortiAuthenticator device, or import and sign a CSR. User certificates, client certificates, or local computer certificates are all the same type of certificate.

    To view the user certificate list, go to Certificate Management > End Entities > Users. To view the server certificate list, go to Certificate Management > End Entities > Local Services.

    The following information is available:

    Create New Create a new certificate.
    Import Select to import a certificate signed by a third-party CA for a previously generated CSR (see To import a local user certificate: and To import a server certificate:) or to import a CSR to sign (see To import a CSR to sign:).
    Revoke Revoke the selected certificate. See To revoke a certificate:.
    Delete Delete the selected certificate.
    Export Certificate Save the selected certificate to your computer.
    Export Key and Cert Export the PKCS#12. This is only available for user certificates.
    Search Enter a search term in the search field, then press Enter to search the certificate list.
    Filter

    Select to filter the displayed certificates by status. The available selections are: Active and Pending, Pending, Pending, Expired, Revoked, Active, and All.

    By default, only valid (active and pending) certificates are shown.
    Certificate ID The certificate ID.
    Subject The certificate’s subject.
    Issuer The issuer of the certificate.
    Status The status of the certificate.

    Expiry

    The expiration date of the certificate.

    Certificates can be created, imported, exported, revoked, and deleted as required. CSRs can be imported to sign, and the certificate detail information can also be viewed, see To view certificate details:.

    To create a new certificate:
    1. To create a new user certificate, go to Certificate Management > End Entities > Users. To create a new server certificate, go to Certificate Management > End Entities > Local Services.
    2. Select Create New to open the Create New User Certificate or Create New Server Certificate window.

    3. Configure the following settings:
      Certificate IDEnter a unique ID for the certificate.
      Certificate Signing Options
      Issuer

      Select the issuer of the certificate, either Local CA or Third-party CA. Selecting Third-party CA generates a CSR that is to be signed by a third-party CA.

      Note: When creating a server certificate, an additional Automated option is also available. Selecting Automated allows you to automatically create a certificate using the ACME protocol with Let's Encrypt service.

      Acme service URL

      The ACME service URL.

      Note: The option is only available when the Issuer is Automated.

      Certificate authority

      If Local CA is selected as the issuer, select one of the available CAs configured on FortiAuthenticator from the dropdown menu.

      The CA must be valid and current. If it is not you will have to create or import a CA certificate before continuing. See Certificate authorities.

      Local User (Optional)

      If Local CA is selected as the issuer, you may select a local user from the dropdown menu to whom the certificate will apply.

      Note: The option is only available when creating a new user certificate.

      Subject Information
      Subject input methodSelect the subject input method, either Fully distinguished name or Field-by-field.
      Subject DN

      If the subject input method is Fully distinguished name, enter the full distinguished name of the subject. There should be no spaces between attributes.

      Valid DN attributes are DC, C, ST, L, O, OU, CN, and emailAddress. They are case-sensitive.

      Name (CN)

      If the subject input method is Field-by-field, enter the subject name in the Name (CN) field, and optionally fill-in the following fields:

      • Department (OU)
      • Company (O)
      • City (L)
      • State/Province (ST)
      • Country (C) (select from dropdown menu)
      • Email address

      Note: When creating a server certificate, if the Issuer is Automated, then only Name(CN) and Email address options are available.

      Key and Signing Options
      Validity period

      Select the amount of time before this certificate expires. This validity period option is only available when Issuer is set to Local CA.

      Select Set length of time to enter a specific number of days, or select Set an expiry date to enter the specific date on which the certificate expires.

      Note: The option is not available when creating a server certificate if the Issuer is Automated.

      Key typeThe key type is set to RSA.
      Key size

      Select the key size from the dropdown menu, either 1024, 2048, or 4096 bits.

      Note: Only 2048 and 4096 bits are available when creating a server certificate if the Issuer is Automated.

      Hash algorithm

      Select the hash algorithm from the dropdown menu, either SHA-256 or SHA-1.

      Note: Only SHA-256 is available when creating a server certificate if the Issuer is Automated.

      Subject Alternative Name

      Subject alternative names (SAN) allow you to protect multiple host names with a single SSL certificate. SAN is part of the X.509 certificate standard.

      For example, SANs are used to protect multiple domain names such as www.example.com and www.example.net, in contrast to wildcard certificates that only protect all first-level subdomains on one domain, such as *.example.com.

      Note: The options in the pane are not available when creating a server certificate if the Issuer is Automated.

      EmailEnter the email address of a user to map to this certificate.
      User Principal Name (UPN)Enter the UPN used to find the user’s account in Microsoft Active Directory. This will map the certificate to this specific user. The UPN is unique for the Windows Server domain. This is a form of one-to-one mapping.
      URIEnter the URI used to validate certificates.
      DNSEnter the DNS used to validate and sign the imported CSR.
      Other Extensions

      This option is only available when creating a new user certificate, and when Issuer is set to Local CA.

      Note: The options in the pane are not available when creating a server certificate if the Issuer is Automated.

      Edit device FQDN

      Select to edit the device FQDN.

      Add CRL Distribution Points extension

      (Location: Device FQDN has not been configured)

      Select to add CRL distribution points extension to the certificate.

      A DNS domain name must be configured. If it has not been, select Edit DNS name to configure one. See DNS.

      Note: After a certificate is issued with this extension, the server must be able to handle the CRL request at the specified location.

      Add OCSP Responder URL

      (Location: Device FQDN has not been configured)

      		Enable Online Certificate Status Protocol (OCSP) to obtain the revocation status of a certificate.
      Use certificate for Smart Card logon

      Select to use the certificate for smart card logon.

      Enabling this setting will automatically enable Add CRL Distribution Points extension.

      Note: The option is only available when creating a user certificate.

      Advanced Options: Key Usages

      Some certificates require the explicit presence of key usage attributes before the certificate can be accepted for use.

      Note: The options in the pane are not available when creating a server certificate if the Issuer is Automated.

      Digital Signature A high-integrity signature that assures the recipient that a message was not altered in transit
      Non Repudiation An authentication that is deemed as genuine with high assurance.
      Key EnciphermentUses the public key to encrypt private or secret keys.
      Data EnciphermentUses the public key to encrypt data.
      Key AgreementAn interactive method for multiple parties to establish a cryptographic key, based on prior knowledge of a password.
      Certificate SignA message from an applicant to a certificate authority in order to apply for a digital identity certificate.
      CRL SignA Certificate Revocation List (CRL) Sign states a validity period for an issued certificate.
      Encipher OnlyInformation is converted into code only.
      Decipher OnlyCode is converted into information only.
      Advanced Options: Extended Key Usages

      Some certificates require the explicit presence of extended key usage attributes before the certificate can be accepted for use.

      Note: The options in the pane are not available when creating a server certificate if the Issuer is Automated.

      Server AuthenticationAuthentication will only be granted when the user submits their credentials to the server.
      Client AuthenticationAuthentication is granted to the server by exchanging a client certificate.
      Code SigningUsed to confirm the software author, and guarantees that the code has not been altered or corrupted through use of a cryptographic hash.
      Secure EmailA secure email sent over SSL encryption.
      OCSP Signing Online Certificate Status Protocol (OCSP) Signing sends a request to the server for certificate status information. The server will send back a response of "current", "expired", or "unknown". OCSP permits a grace period to users or are expired, allowing them a limited time period to renew. This is typically used over CRL.
      IPSec End System
      IPSec Tunnel TerminationIPsec Security Associations (SAs) are terminated through deletion or by timing out
      IPSec User
      IPSec IKE Intermediate (end entity)An intermediate certificate is a subordinate certificate issued by a trusted root specifically to issue end-entity certificates. The result is a certificate chain that begins at the trusted root CA, through the intermediate CA (or CAs) and ending with the SSL certificate issued to you.
      Time Stamping
      Microsoft Individual Code SigningUser submits information that is compared to an independent consumer database to validate their credentials.
      Microsoft Commercial Code SigningUser submits information that proves their identity as corporate representatives.
      Microsoft Trust List SigningUses a certificate trust list (CTL), a list of hashes of certificates. The list is comprised of pre-authenticated items that were approved by a trusted signing entity.
      Microsoft Server Gated Crypto
      		A defunct mechanism that stepped up 40-bit and 50-bit to 128-bit cipher suites with SSL.
      Netscape Server Gated CryptoA defunct mechanism that stepped up 40-bit and 50-bit to 128-bit cipher suites with SSL.
      Microsoft Encrypted File SystemThe Encrypted File System (EFS) enables files to be transparently encrypted to protect confidential data.
      Microsoft EFS File RecoveryThe certificate is granted on the condition it has an EFS file recovery agent prepared.
      Smart Card LogonThe certificate is granted on the condition that the user logs on to the network with a smart card.
      EAP over PPPExtensible Authentication Protocol (EAP) will operate within a Point-to-Point Protocol (PPP) framework.
      EAP over LANEAP will operate within a Local Area Network (LAN) framework.
      KDC AuthenticationAn authentication server forwards usernames to a key distribution center (KDC), which issues an encrypted, time-stamped ticket back to the user.
    4. Select OK to create the new certificate.
    To import a local user certificate:

    FortiAuthenticator only supports certificates signed with RSA.

    FortiAuthenticator does not support certificates signed with the Elliptic Curve.
    1. Go to Certificate Management > End Entities > Users and select Import.
    2. For Type, select Local certificate.
    3. Select Choose File to locate the certificate file on your computer.
    4. Select OK to import the certificate.
    To import a server certificate:
    1. Go to Certificate Management > End Entities > Local Services and select Import.
    2. Select Choose File to locate the certificate file on your computer.
    3. Select OK to import the certificate.
    To import a CSR to sign:
    1. Go to Certificate Management > End Entities > Users and select Import.
    2. For Type, select CSR to sign.

    3. Configure the following settings:
      Certificate IDEnter a unique ID for the certificate.
      CSR file (.csr, .req)Select Choose File then locate the CSR file on your computer.
      Certificate Signing Options
      Certificate authority

      Select one of the available CAs configured on the FortiAuthenticator from the dropdown menu.

      The CA must be valid and current. If it is not you will have to create or import a CA certificate before continuing. See Certificate authorities.

      Validity period

      Select the amount of time before this certificate expires.

      Select Set length of time to enter a specific number of days, or select Set an expiry date and enter the specific date on which the certificate expires

      Hash algorithmSelect the hash algorithm from the dropdown menu, either SHA-256 or SHA-1.
      Subject Alternative Name
      EmailEnter the email address of a user to map to this certificate.
      User Principal Name (UPN)Enter the UPN used to find the user’s account in Microsoft Active Directory. This will map the certificate to this specific user. The UPN is unique the Windows Server domain. This is a form of one-to-one mapping.
      Other Extensions
      Add CRL Distribution Points extension

      Select to add CRL distribution points extension to the certificate.

      A DNS domain name must be configured. If it has not been, select Edit DNS name to configure one. See DNS.

      Note: After a certificate is issued with this extension, the server must be able to handle the CRL request at the specified location.

      Add OCSP Responder URLEnable Online Certificate Status Protocol (OCSP) to obtain the revocation status of a certificate.
      Use certificate for Smart Card logon

      Select to use the certificate for smart card logon.

      Enabling this setting will automatically enable Add CRL Distribution Points extension.

      Advanced Options: Key Usages and Extended Key Usages

      Some certificates require the explicit presence of key usage attributes before the certificate can be accepted for use.

      Same settings available as when creating a new user certificate (see above).

    4. Select OK to import the CSR.
    To revoke a certificate:
    1. Go to Certificate Management > End Entities > Users or to Certificate Management > End Entities > Local Services.
    2. Select the certificate you want to revoke and select Revoke.
    3. Select a reason for revoking the certificate from the Reason code dropdown menu. The reasons available are:
      • Unspecified
      • Key has been compromised
      • CA has been compromised
      • Changes in affiliation
      • Superseded
      • Operation ceased
      • On Hold

      4. Some of these reasons are security related (such as a compromised key or CA), while others are more business related. A Change in affiliation could be an employee leaving the company, while Operation ceased could be a project that was canceled.

    4. Select OK to revoke the certificate.
    To view certificate details:

    From the certificate list, select a certificate ID to open the Certificate Detail Information window.

    Select Edit next to the Certificate ID field to change the certificate ID. If any of this information is out of date or incorrect, you will not be able to use this certificate. If this is the case, delete the certificate and re-enter the information in a new certificate, see To create a new certificate:. Select Close to return to the certificate list.

    Previous
    Next