Fortinet white logo
Fortinet white logo

Administration Guide

Creating certificates in FortiAuthenticator

Creating certificates in FortiAuthenticator

To create certificates in FortiAuthenticator:
  1. Configure the CA certificate:
    1. Go to Certificate Management > Certificate Authorities > Local CAs.
    2. Click Create New.
    3. Enter the desired values in the Certificate ID and Name (CN) fields.
    4. Configure other fields as desired.
    5. Click OK.

    6. On the Local CAs pane, select the checkbox for the newly created certificate, then click Export Certificate.
    7. Save the certificate in a location that you can upload it to FortiOS from.
  2. Configure the server certificate:
    1. Go to Certificate Management > End Entities > Users.
    2. Click Create New.
    3. In the Certificate ID field, enter the desired certificate name.
    4. By default, the Issuer field is set to Local CA, and if you have only one local CA, it is preselected in the Certificate authority dropdown list. Ensure that the certificate you created in step 1 is selected.
    5. In the Name (CN) field, enter the desired IP address. You must enter an IP address, as this is what FortiClient uses to connect to the VPN tunnel.
    6. Under Advanced Options: Key Usages > Extended Key Usages, select Server Authentication and move it from the left to the right pane. Click OK.

    7. On the Users pane, select the checkbox for the newly created certificate, then click Export Key and Cert.
    8. Enter a strong password, then click OK.
    9. FortiAuthenticator warns that the private key is removed from FortiAuthenticator following the download. Save the certificate in a location that you can upload it to FortiOS from.
  3. Configure the client certificate by repeating the instructions in step 2, except for step f. Instead of Server Authentication, select Client Authentication and move it from the left to the right pane.

Creating certificates in FortiAuthenticator

Creating certificates in FortiAuthenticator

To create certificates in FortiAuthenticator:
  1. Configure the CA certificate:
    1. Go to Certificate Management > Certificate Authorities > Local CAs.
    2. Click Create New.
    3. Enter the desired values in the Certificate ID and Name (CN) fields.
    4. Configure other fields as desired.
    5. Click OK.

    6. On the Local CAs pane, select the checkbox for the newly created certificate, then click Export Certificate.
    7. Save the certificate in a location that you can upload it to FortiOS from.
  2. Configure the server certificate:
    1. Go to Certificate Management > End Entities > Users.
    2. Click Create New.
    3. In the Certificate ID field, enter the desired certificate name.
    4. By default, the Issuer field is set to Local CA, and if you have only one local CA, it is preselected in the Certificate authority dropdown list. Ensure that the certificate you created in step 1 is selected.
    5. In the Name (CN) field, enter the desired IP address. You must enter an IP address, as this is what FortiClient uses to connect to the VPN tunnel.
    6. Under Advanced Options: Key Usages > Extended Key Usages, select Server Authentication and move it from the left to the right pane. Click OK.

    7. On the Users pane, select the checkbox for the newly created certificate, then click Export Key and Cert.
    8. Enter a strong password, then click OK.
    9. FortiAuthenticator warns that the private key is removed from FortiAuthenticator following the download. Save the certificate in a location that you can upload it to FortiOS from.
  3. Configure the client certificate by repeating the instructions in step 2, except for step f. Instead of Server Authentication, select Client Authentication and move it from the left to the right pane.