Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiAuthenticator 6.6.0 Administration Guide
    6.6.0
    6.6.2
    6.6.1
    6.6.0
    6.5.5
    6.5.4
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.2
    6.2.1
    6.2.0
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.5.0
    5.4.0
    5.3.0
    5.2.0
    5.1.0
    5.0.0
    4.3.0
    4.2.1
    4.2.0

    Enrollment requests

    Enrollment requests

    To view and manage certificate enrollment requests, go to Certificate Management > CMP > Enrollment Requests.

    Before you can create or configure certificate enrollment requests, CMP must be enabled, and HTTP access must be enabled on the network interface(s) that will serve CMP clients (under System > Network > Interfaces).

    The following information is available:

    Create New

    Create a new certificate enrollment request.

    Delete

    Delete the selected certificate enrollment request.

    Search

    Search for CMP enrollment requests with subject fields matching the input text string.

    Filter

    Select and then choose a status filter to apply.

    Refresh

    To refresh the contents, click the refresh icon.

    Method

    The enrollment method used.

    Status

    The status of the enrollment: Pending, Approved, or Rejected.

    Type

    The request type: User or Device.

    Subject

    The certificate subject. Hover over the truncated value to see the full subject name.

    Renewable Before Expiry (Days)

    The number of days before the certificate enrollment request expires that it can be renewed.

    Updated At

    The date and time that the enrollment request was last updated.
    To view the enrollment request details:
    1. From the enrollment request list, select a request by clicking within its row.
    2. Select Cancel to return to the enrollment request window.
    To create a new certificate enrollment request:
    1. From the certificate enrollment requests list, select Create New.
    2. Enter the following information:

      Request type

      Select the request type, either Regular or Device (3GPP).

      Profile name (enrollment id)

      The name for the enrollment request.

      Certificate authority

      Select one of the available local CAs configured on FortiAuthenticator from the dropdown menu.

      The CA must be valid and current. If it is not you will have to create or import a CA certificate before continuing. See Certificate authorities.

      Subject Information

      Subject input method

      Select the subject input method, either Fully distinguished name or Field-by-field.

      Subject DN

      If the subject input method is Fully distinguished name, enter the full distinguished name of the subject. There should be no spaces between attributes.

      Valid DN attributes are DC, C, ST, L, O, OU, CN, and emailAddress. They are case-sensitive.

      Name (CN)

      If the subject input method is Field-by-field, enter the subject name in the Name (CN) field (if the Request type is set to Regular), and optionally enter the following fields:

      • Department (OU)
      • Company (O)
      • City (L)
      • State/Province (ST)
      • Country (C) (select from dropdown menu)
      • Email address

      Note: Name (CN) option is not available when the Request type is Device (3GPP).

      Certificate Signing Options

      Validity period

      Select the amount of time before this certificate expires.

      Select Set length of time to enter a specific number of days (default = 365), or select Set an expiry date and enter the specific date on which the certificate expires.

      Hash algorithm

      Select the hash algorithm from the dropdown menu, either SHA-256 (set by default) or SHA-1.

      Device Authorization

      Note: The pane is only available when the Request type is Device (3GPP).

      Device vendor CA certificate

      From the dropdown select the device vendor CA certificate.

      Restrict enrollment by serial number

      Enable to restrict enrollment by serial number and enter the authorized serial number for the device.

      Select + to open a text box that allows entering multiple serial numbers.

      Note: You can enter multiple serial numbers provided that they are either comma-separated or entered in a new line.

      Challenge Password

      Note: The pane is only available when the Request type is Regular.

      Password creation

      Select to either set a random password, or use the default enrollment password.

      Note: If Default is selected then the password created in General is used.

      Challenge password distribution

      Select the challenge password distribution method. This option is only available if Password creation is set to Random.

      • Display: Display the password on the screen.
      • SMS: Send the password to a mobile phone. Enter the phone number in the Mobile number field and select an SMS gateway from the dropdown menu.
      • Email: Send the password to the email address entered in the email field.

      Renewal

      To allow renewals, select Allow renewal, then enter the number of days before the certificate expires (default = 7).

      When renewal is enabled, you can optionally either allow or reject CMP renewal requests for expired and revoked certificates (as burst renewal requests from FortiGate devices could exhaust the FortiAuthenticator and create duplicate certificates), and either allow or reject CMP renewal requests signed using the old private key.

      Subject Alternative Name

      SANs allow you to protect multiple host names with a single SSL certificate. SAN is part of the X.509 certificate standard.

      Note: The section is only available when the Request type is Regular.

      Email

      Enable and enter the email address of a user to map to this certificate.

      User Principal Name (UPN)

      Enable and enter the UPN used to find the user’s account in Microsoft Active Directory. This will map the certificate to this specific user. The UPN is unique for the Windows Server domain. This is a form of one-to-one mapping.

    3. Optionally, apply key usage attributes.

      Advanced Options: Key Usages

      Key Usages

      Key usage attributes identify the purpose(s) of a certificate's key. Some applications require the explicit presence of attributes before the certificate will be accepted for use. When an entity contains multiple certificates or keys, key usage attributes can also be used to identify which is the correct certificate or key to use.

      When the Critical option is enabled, the certificate can only be used for the purposes indicated by the selected attributes, and attempting to use the certificate for other purposes results in a CA policy violation.

      For detailed information about key usage attributes, see End entities.

      Extended Key Usages

      Extended Key Usages provides an extended list of selectable attributes.

      The Critical option can also be applied to extended key usage attributes. When the Critical option is applied to both key usage and extended key usage attributes, only certificates that are consistent with both fields are accepted.

      For detailed information about extended key usage attributes, see End entities

    4. Select Save to create the new certificate enrollment request.

      When created, the request will have a Status of Pending. A code is displayed which must be provided to the client as a challenge password for the automatic certificate enrollment process.

    Previous
    Next

    Enrollment requests

    Enrollment requests

    To view and manage certificate enrollment requests, go to Certificate Management > CMP > Enrollment Requests.

    Before you can create or configure certificate enrollment requests, CMP must be enabled, and HTTP access must be enabled on the network interface(s) that will serve CMP clients (under System > Network > Interfaces).

    The following information is available:

    Create New

    Create a new certificate enrollment request.

    Delete

    Delete the selected certificate enrollment request.

    Search

    Search for CMP enrollment requests with subject fields matching the input text string.

    Filter

    Select and then choose a status filter to apply.

    Refresh

    To refresh the contents, click the refresh icon.

    Method

    The enrollment method used.

    Status

    The status of the enrollment: Pending, Approved, or Rejected.

    Type

    The request type: User or Device.

    Subject

    The certificate subject. Hover over the truncated value to see the full subject name.

    Renewable Before Expiry (Days)

    The number of days before the certificate enrollment request expires that it can be renewed.

    Updated At

    The date and time that the enrollment request was last updated.
    To view the enrollment request details:
    1. From the enrollment request list, select a request by clicking within its row.
    2. Select Cancel to return to the enrollment request window.
    To create a new certificate enrollment request:
    1. From the certificate enrollment requests list, select Create New.
    2. Enter the following information:

      Request type

      Select the request type, either Regular or Device (3GPP).

      Profile name (enrollment id)

      The name for the enrollment request.

      Certificate authority

      Select one of the available local CAs configured on FortiAuthenticator from the dropdown menu.

      The CA must be valid and current. If it is not you will have to create or import a CA certificate before continuing. See Certificate authorities.

      Subject Information

      Subject input method

      Select the subject input method, either Fully distinguished name or Field-by-field.

      Subject DN

      If the subject input method is Fully distinguished name, enter the full distinguished name of the subject. There should be no spaces between attributes.

      Valid DN attributes are DC, C, ST, L, O, OU, CN, and emailAddress. They are case-sensitive.

      Name (CN)

      If the subject input method is Field-by-field, enter the subject name in the Name (CN) field (if the Request type is set to Regular), and optionally enter the following fields:

      • Department (OU)
      • Company (O)
      • City (L)
      • State/Province (ST)
      • Country (C) (select from dropdown menu)
      • Email address

      Note: Name (CN) option is not available when the Request type is Device (3GPP).

      Certificate Signing Options

      Validity period

      Select the amount of time before this certificate expires.

      Select Set length of time to enter a specific number of days (default = 365), or select Set an expiry date and enter the specific date on which the certificate expires.

      Hash algorithm

      Select the hash algorithm from the dropdown menu, either SHA-256 (set by default) or SHA-1.

      Device Authorization

      Note: The pane is only available when the Request type is Device (3GPP).

      Device vendor CA certificate

      From the dropdown select the device vendor CA certificate.

      Restrict enrollment by serial number

      Enable to restrict enrollment by serial number and enter the authorized serial number for the device.

      Select + to open a text box that allows entering multiple serial numbers.

      Note: You can enter multiple serial numbers provided that they are either comma-separated or entered in a new line.

      Challenge Password

      Note: The pane is only available when the Request type is Regular.

      Password creation

      Select to either set a random password, or use the default enrollment password.

      Note: If Default is selected then the password created in General is used.

      Challenge password distribution

      Select the challenge password distribution method. This option is only available if Password creation is set to Random.

      • Display: Display the password on the screen.
      • SMS: Send the password to a mobile phone. Enter the phone number in the Mobile number field and select an SMS gateway from the dropdown menu.
      • Email: Send the password to the email address entered in the email field.

      Renewal

      To allow renewals, select Allow renewal, then enter the number of days before the certificate expires (default = 7).

      When renewal is enabled, you can optionally either allow or reject CMP renewal requests for expired and revoked certificates (as burst renewal requests from FortiGate devices could exhaust the FortiAuthenticator and create duplicate certificates), and either allow or reject CMP renewal requests signed using the old private key.

      Subject Alternative Name

      SANs allow you to protect multiple host names with a single SSL certificate. SAN is part of the X.509 certificate standard.

      Note: The section is only available when the Request type is Regular.

      Email

      Enable and enter the email address of a user to map to this certificate.

      User Principal Name (UPN)

      Enable and enter the UPN used to find the user’s account in Microsoft Active Directory. This will map the certificate to this specific user. The UPN is unique for the Windows Server domain. This is a form of one-to-one mapping.

    3. Optionally, apply key usage attributes.

      Advanced Options: Key Usages

      Key Usages

      Key usage attributes identify the purpose(s) of a certificate's key. Some applications require the explicit presence of attributes before the certificate will be accepted for use. When an entity contains multiple certificates or keys, key usage attributes can also be used to identify which is the correct certificate or key to use.

      When the Critical option is enabled, the certificate can only be used for the purposes indicated by the selected attributes, and attempting to use the certificate for other purposes results in a CA policy violation.

      For detailed information about key usage attributes, see End entities.

      Extended Key Usages

      Extended Key Usages provides an extended list of selectable attributes.

      The Critical option can also be applied to extended key usage attributes. When the Critical option is applied to both key usage and extended key usage attributes, only certificates that are consistent with both fields are accepted.

      For detailed information about extended key usage attributes, see End entities

    4. Select Save to create the new certificate enrollment request.

      When created, the request will have a Status of Pending. A code is displayed which must be provided to the client as a challenge password for the automatic certificate enrollment process.

    Previous
    Next