Fortinet white logo
Fortinet white logo

Handbook

Managing local certificates

Managing local certificates

This section includes the following information:

Overview

While requesting secure administrator access to a FortiDDoS device via HTTPS, the device uses SSL protocol to ensure that all communication between the device and the HTTP browser is secure no matter which client application is used. Regarding basic authentication made by an HTTP client, the device will use its self-signed security certificate to allow authentication whenever HTTPS is initiated by the client.

Note: The self-signed certificate proposal is the default setting on the device.

The HTTP browser notices the following discrepancies:

  • The 'issuer' of the certificate offered by the device is unknown.
  • The 'subject' of the certificate doesn't match the FQDN of the HTTP request a.b.c.d.

To avoid the triggering of these messages in the scenario where you don't require your HTTP browser to 'Permanently store this exception':

  • Always ensure that the certificate of the CA signed by the device certificate is stored in the browser repository.
  • Always ensure that the device is accessed with a correct FQDN.

Once the security exception is confirmed, the login page will be displayed. All the data sent to the device is encrypted and a HTTPS connection is created without reading the self-signed certificate proposal. Once the HTTP browser has permanently stored this exception, the exception prompt is not shown again. If the HTTP client declines the certificate, then the device does not allow the connection.

If you want to avoid these warnings and have a custom certificate, you must assign a host name to the appliance, generate a key pair and certificate request and import the certificate from a signing authority.

NOTE: The factory security certificate is not intended for long term use and as such may have weak security. You MUST secure the system by:

Assigning a host name to the appliance

Generating a key pair and certificate request

Importing the certificate from a valid signing authority.

Generating a Certificate Signing Request (CSR)

FortiDDoS allows you to generate CSRs that you can send to a CA to sign and give you a signed certificate. FortiDDoS creates a key pair that it keeps in a protected storage and is later used for SSL.

Before you begin:

• You must have Read-Write permission for System settings.

To generate a certificate request:

  1. Go to System > Certificate > Generate and Import.
  2. Click Generate to display the configuration editor.
  3. Complete the configuration as described in the table below.
  4. Save the configuration.

    The system creates a private and public key pair. The generated request includes the public key of the FortiDDoS appliance and information such as the IP address, domain name, or email address. The FortiDDoS appliance private key remains confidential in the FortiDDoS appliance. The Status column of the new CSR entry is Pending.

  5. Select the row that corresponds to the certificate request.
  6. Click Download.

    Standard dialogs appear with buttons to save the file to the location you select. Your web browser downloads the certificate request (.csr) file.

  7. Upload the certificate request to your CA.

    After you submit the request to a CA, the CA will verify the information in the certificate, give it a serial number, an expiration date, and sign it with the public key of the CA.

  8. If you are not using a commercial CA whose root certificate is already installed by default on web browsers, download your CA’s root certificate, then install it on all computers that will be connecting to your appliance. (If you do not install these, those computers might not trust your new certificate.)
  9. When you receive the signed certificate from the CA, you can import the certificate into the FortiDDoS system.

CSR configuration
Settings Guidelines
Generate Certificate Signing Request
Certification Name Configuration name. Valid characters are A-Z,a-z,0-9,_, and -. No spaces. The maximum length is 35 characters.

Note: This is the name of the CSR file, not the host name/IP contained in the certificate’s Subject: line.
Subject Information
ID Type Select the type of identifier to use in the certificate to identify the virtual server:

  • Host IP—The static public IP address of the FortiDDoS virtual server in the IP Address field. If the FortiDDoS appliance does not have a static public IP address, use the email or domain name options instead.
    Note: If your network has a dynamic public IP address, you should not use this option. An “Unable to verify certificate” or similar error message will be displayed by users’ browsers when your public IP address changes.

  • Domain Name—The fully qualified domain name (FQDN) of the FortiDDoS virtual server, such as www.example.com. This does not require that the IP address be static, and may be useful if, for example, your network has a dynamic public IP address and therefore clients connect to it via dynamic DNS. Do not include the protocol specification (http://) or any port number or path names.

  • Email—The email address of the owner of the FortiDDoS virtual server. Use this if the virtual server does not require either a static IP address or a domain name.

Depending on your choice for ID Type, related options appear.
IP Address Type the static IP address of the FortiDDoS appliance, such as 10.0.0.1.The IP address should be the one that is visible to clients. Usually, this should be its public IP address on the Internet, or a virtual IP that you use NAT to map to the appliance’s IP address on your private network.

This option appears only if ID Type is Host IP.
Domain Name Type the FQDN of the FortiDDoS appliance, such as www.example.com. The domain name must resolve to the IP address of the FortiDDoS appliance or backend server according to the DNS server used by clients. (If it does not, the clients’ browsers will display a Host name mismatch or similar error message.)

This option appears only if ID Type is Domain Name.
E-mail Type the email address of the owner of the FortiDDoS appliance, such as admin@example.com.

This option appears only if ID Type is E-Mail.
Distinguished Information
Organization Unit Name of organizational unit (OU), such as the name of your department. This is optional. To enter more than one OU name, click the + icon, and enter each OU separately in each field
Organization Legal name of your organization.
Locality (City) City or town where the FortiDDoS appliance is located.
State/Province State or province where the FortiDDoS appliance is located.
Country/Region Country where the FortiDDoS appliance is located.
Email Email address that may be used for contact purposes, such as admin@example.com.
Key Information
Key Type

RSA

Key Size

Select a secure key size. Larger keys use more computing resources, but provide better security.

For RSA, select one of the following:

  • 1024 Bit
  • 1536 Bit
  • 2048 Bit
Enrollment Information
Enrollment Method File Based—You must manually download and submit the resulting certificate request file to a CA for signing. Once signed, upload the local certificate.

Online SCEP—The FortiDDoS appliance automatically uses HTTP to submit the request to the simple certificate enrollment protocol (SCEP) server of a CA, which will validate and sign the certificate. For this selection, two options appear. Enter the CA Server URL and the Challenge Password.

Importing certificates

Importing Certificates to an appliance using FortiDDoS-CM is not available. If you need to import a Certificate, login directly to the FortiDDoS appliance GUI. See the instructions under http://help.fortinet.com/fddos/4-7-0/index.htm#cshid=manage_local_certificate.

You can import or upload the following types of server certificates and private keys to the FortiDDoS system:

  • local
  • PKCS12
  • certificate

Before you begin:

  • You must have Read-Write permission for System settings.
  • You must have downloaded the certificate and key files to browse and upload.

To import a local certificate:

  1. Go to System > Certificate > Generate and Import.
  2. Click Import to display the configuration editor.
  3. Complete the configuration based on the certificate Type selection, as described in the table below.
  4. Save the configuration.

Importing a local certificate


Local certificate import configuration

Settings Guidelines
Type
  • Local Certificate: An unencrypted certificate in PEM format.
  • PKCS12 Certificate: A PKCS #12 password-encrypted certificate with key in the same file.
  • Certificate: An unencrypted certificate in PEM format. The key is in a separate file.
Additional fields are displayed depending on your selection.
Local Certificate
Certificate File Browse and locate the certificate file that you want to upload.
PKCS12 Certificate
Certificate Name Name that can be referenced by other parts of the configuration, such as www_example_com.
  • Do not use spaces or special characters.
  • Maximum length is 35 characters.
Certificate File Browse and locate the certificate file that you want to upload.
Password Password to encrypt the file in local storage.
Certificate
Certificate Name Name that can be referenced by other parts of the configuration, such as www_example_com.
  • Do not use spaces or special characters.
  • Maximum length is 35 characters.
Certificate File Browse and locate the certificate file that you want to upload.
Password Password to encrypt the files in local storage.

After the certificate is imported, status shows OK.

Using certificates

  1. Go to System > Certificate > Web Administration tab.
  2. Select the desired certificate from the HTTPS Server Certificate (default: Factory) drop-down.
  3. Save the configuration.

Certificate selection page

Viewing certificates

The system has its own default 'Factory' certificate that it presents to establish secure connections with the administrator client computer.

To view the local certificate:
  1. Go to System > Certificate > Generate and Import tab.
  2. Double-click the row corresponding to the Factory Certificate.

Factory Local Certificate

Managing local certificates

Managing local certificates

This section includes the following information:

Overview

While requesting secure administrator access to a FortiDDoS device via HTTPS, the device uses SSL protocol to ensure that all communication between the device and the HTTP browser is secure no matter which client application is used. Regarding basic authentication made by an HTTP client, the device will use its self-signed security certificate to allow authentication whenever HTTPS is initiated by the client.

Note: The self-signed certificate proposal is the default setting on the device.

The HTTP browser notices the following discrepancies:

  • The 'issuer' of the certificate offered by the device is unknown.
  • The 'subject' of the certificate doesn't match the FQDN of the HTTP request a.b.c.d.

To avoid the triggering of these messages in the scenario where you don't require your HTTP browser to 'Permanently store this exception':

  • Always ensure that the certificate of the CA signed by the device certificate is stored in the browser repository.
  • Always ensure that the device is accessed with a correct FQDN.

Once the security exception is confirmed, the login page will be displayed. All the data sent to the device is encrypted and a HTTPS connection is created without reading the self-signed certificate proposal. Once the HTTP browser has permanently stored this exception, the exception prompt is not shown again. If the HTTP client declines the certificate, then the device does not allow the connection.

If you want to avoid these warnings and have a custom certificate, you must assign a host name to the appliance, generate a key pair and certificate request and import the certificate from a signing authority.

NOTE: The factory security certificate is not intended for long term use and as such may have weak security. You MUST secure the system by:

Assigning a host name to the appliance

Generating a key pair and certificate request

Importing the certificate from a valid signing authority.

Generating a Certificate Signing Request (CSR)

FortiDDoS allows you to generate CSRs that you can send to a CA to sign and give you a signed certificate. FortiDDoS creates a key pair that it keeps in a protected storage and is later used for SSL.

Before you begin:

• You must have Read-Write permission for System settings.

To generate a certificate request:

  1. Go to System > Certificate > Generate and Import.
  2. Click Generate to display the configuration editor.
  3. Complete the configuration as described in the table below.
  4. Save the configuration.

    The system creates a private and public key pair. The generated request includes the public key of the FortiDDoS appliance and information such as the IP address, domain name, or email address. The FortiDDoS appliance private key remains confidential in the FortiDDoS appliance. The Status column of the new CSR entry is Pending.

  5. Select the row that corresponds to the certificate request.
  6. Click Download.

    Standard dialogs appear with buttons to save the file to the location you select. Your web browser downloads the certificate request (.csr) file.

  7. Upload the certificate request to your CA.

    After you submit the request to a CA, the CA will verify the information in the certificate, give it a serial number, an expiration date, and sign it with the public key of the CA.

  8. If you are not using a commercial CA whose root certificate is already installed by default on web browsers, download your CA’s root certificate, then install it on all computers that will be connecting to your appliance. (If you do not install these, those computers might not trust your new certificate.)
  9. When you receive the signed certificate from the CA, you can import the certificate into the FortiDDoS system.

CSR configuration
Settings Guidelines
Generate Certificate Signing Request
Certification Name Configuration name. Valid characters are A-Z,a-z,0-9,_, and -. No spaces. The maximum length is 35 characters.

Note: This is the name of the CSR file, not the host name/IP contained in the certificate’s Subject: line.
Subject Information
ID Type Select the type of identifier to use in the certificate to identify the virtual server:

  • Host IP—The static public IP address of the FortiDDoS virtual server in the IP Address field. If the FortiDDoS appliance does not have a static public IP address, use the email or domain name options instead.
    Note: If your network has a dynamic public IP address, you should not use this option. An “Unable to verify certificate” or similar error message will be displayed by users’ browsers when your public IP address changes.

  • Domain Name—The fully qualified domain name (FQDN) of the FortiDDoS virtual server, such as www.example.com. This does not require that the IP address be static, and may be useful if, for example, your network has a dynamic public IP address and therefore clients connect to it via dynamic DNS. Do not include the protocol specification (http://) or any port number or path names.

  • Email—The email address of the owner of the FortiDDoS virtual server. Use this if the virtual server does not require either a static IP address or a domain name.

Depending on your choice for ID Type, related options appear.
IP Address Type the static IP address of the FortiDDoS appliance, such as 10.0.0.1.The IP address should be the one that is visible to clients. Usually, this should be its public IP address on the Internet, or a virtual IP that you use NAT to map to the appliance’s IP address on your private network.

This option appears only if ID Type is Host IP.
Domain Name Type the FQDN of the FortiDDoS appliance, such as www.example.com. The domain name must resolve to the IP address of the FortiDDoS appliance or backend server according to the DNS server used by clients. (If it does not, the clients’ browsers will display a Host name mismatch or similar error message.)

This option appears only if ID Type is Domain Name.
E-mail Type the email address of the owner of the FortiDDoS appliance, such as admin@example.com.

This option appears only if ID Type is E-Mail.
Distinguished Information
Organization Unit Name of organizational unit (OU), such as the name of your department. This is optional. To enter more than one OU name, click the + icon, and enter each OU separately in each field
Organization Legal name of your organization.
Locality (City) City or town where the FortiDDoS appliance is located.
State/Province State or province where the FortiDDoS appliance is located.
Country/Region Country where the FortiDDoS appliance is located.
Email Email address that may be used for contact purposes, such as admin@example.com.
Key Information
Key Type

RSA

Key Size

Select a secure key size. Larger keys use more computing resources, but provide better security.

For RSA, select one of the following:

  • 1024 Bit
  • 1536 Bit
  • 2048 Bit
Enrollment Information
Enrollment Method File Based—You must manually download and submit the resulting certificate request file to a CA for signing. Once signed, upload the local certificate.

Online SCEP—The FortiDDoS appliance automatically uses HTTP to submit the request to the simple certificate enrollment protocol (SCEP) server of a CA, which will validate and sign the certificate. For this selection, two options appear. Enter the CA Server URL and the Challenge Password.

Importing certificates

Importing Certificates to an appliance using FortiDDoS-CM is not available. If you need to import a Certificate, login directly to the FortiDDoS appliance GUI. See the instructions under http://help.fortinet.com/fddos/4-7-0/index.htm#cshid=manage_local_certificate.

You can import or upload the following types of server certificates and private keys to the FortiDDoS system:

  • local
  • PKCS12
  • certificate

Before you begin:

  • You must have Read-Write permission for System settings.
  • You must have downloaded the certificate and key files to browse and upload.

To import a local certificate:

  1. Go to System > Certificate > Generate and Import.
  2. Click Import to display the configuration editor.
  3. Complete the configuration based on the certificate Type selection, as described in the table below.
  4. Save the configuration.

Importing a local certificate


Local certificate import configuration

Settings Guidelines
Type
  • Local Certificate: An unencrypted certificate in PEM format.
  • PKCS12 Certificate: A PKCS #12 password-encrypted certificate with key in the same file.
  • Certificate: An unencrypted certificate in PEM format. The key is in a separate file.
Additional fields are displayed depending on your selection.
Local Certificate
Certificate File Browse and locate the certificate file that you want to upload.
PKCS12 Certificate
Certificate Name Name that can be referenced by other parts of the configuration, such as www_example_com.
  • Do not use spaces or special characters.
  • Maximum length is 35 characters.
Certificate File Browse and locate the certificate file that you want to upload.
Password Password to encrypt the file in local storage.
Certificate
Certificate Name Name that can be referenced by other parts of the configuration, such as www_example_com.
  • Do not use spaces or special characters.
  • Maximum length is 35 characters.
Certificate File Browse and locate the certificate file that you want to upload.
Password Password to encrypt the files in local storage.

After the certificate is imported, status shows OK.

Using certificates

  1. Go to System > Certificate > Web Administration tab.
  2. Select the desired certificate from the HTTPS Server Certificate (default: Factory) drop-down.
  3. Save the configuration.

Certificate selection page

Viewing certificates

The system has its own default 'Factory' certificate that it presents to establish secure connections with the administrator client computer.

To view the local certificate:
  1. Go to System > Certificate > Generate and Import tab.
  2. Double-click the row corresponding to the Factory Certificate.

Factory Local Certificate