Fortinet black logo

Best Practices

Home FortiGate / FortiOS 7.0.0 Best Practices

Certificates

7.0.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0
6.0.0
Copy Link
Copy Doc ID 7c8e21ef-1be2-11ec-8c53-00505692583a:892781
Download PDF

Certificates

Certificates serve three primary purposes:

  1. Authentication

    The Common Name (CN) and/or Subject Alternative Name (SAN) fields are used to identify the device that the certificate is representing.

  2. Encryption and decryption

    Private and public key pairs are used to encrypt and decrypt traffic.

  3. Integrity

    Messages are hashed using a secret key known to both the sender and the receiver. The receiver uses the key to check the hash value and confirm the message's data integrity and authenticity.

Certificate based authentication has several advantages over password based authentication. While password based authentication relies on secrets that are defined and managed by a user, certificate based authentication uses secrets that are issued and managed by the certificate authority. Certificates are more secure than passwords, because the private key in the certificate has high cryptographic strength, which a user defined password does not usually have.

The CA vouches for the certificates that it signs. If the endpoint has the CA root certificate installed, then it trusts the CA and anything that the CA signs. There are three types of CAs:

  • Public CA

    Public, or well-known, CAs charge a fee to sign your certificate. Many systems come with these CA root certificates pre-installed.

  • Let's Encrypt

    Let's Encrypt is a free, automated, and open CA. FortiGate includes an Automated Certificate Management Environment (ACME) to directly interact with Let's Encrypt. Some legacy systems might not have the Let's Encrypt CA root certificate installed.

  • Private CA

    Private CAs are created by an organization that creates its own local CA instead of using an external CA. It functions the same as a public CA, but the root certificate is not pre-installed on anything. FortiAuthenticator, Microsoft Server, OpenSSL, and XCA can all function as CAs.

Regardless of what kind of CA is used, involved devices must have the CA root certificate installed in order to trust the certificate that it signs.

Previous
Next

More Links

Certificates

Certificates

Certificates serve three primary purposes:

  1. Authentication

    The Common Name (CN) and/or Subject Alternative Name (SAN) fields are used to identify the device that the certificate is representing.

  2. Encryption and decryption

    Private and public key pairs are used to encrypt and decrypt traffic.

  3. Integrity

    Messages are hashed using a secret key known to both the sender and the receiver. The receiver uses the key to check the hash value and confirm the message's data integrity and authenticity.

Certificate based authentication has several advantages over password based authentication. While password based authentication relies on secrets that are defined and managed by a user, certificate based authentication uses secrets that are issued and managed by the certificate authority. Certificates are more secure than passwords, because the private key in the certificate has high cryptographic strength, which a user defined password does not usually have.

The CA vouches for the certificates that it signs. If the endpoint has the CA root certificate installed, then it trusts the CA and anything that the CA signs. There are three types of CAs:

  • Public CA

    Public, or well-known, CAs charge a fee to sign your certificate. Many systems come with these CA root certificates pre-installed.

  • Let's Encrypt

    Let's Encrypt is a free, automated, and open CA. FortiGate includes an Automated Certificate Management Environment (ACME) to directly interact with Let's Encrypt. Some legacy systems might not have the Let's Encrypt CA root certificate installed.

  • Private CA

    Private CAs are created by an organization that creates its own local CA instead of using an external CA. It functions the same as a public CA, but the root certificate is not pre-installed on anything. FortiAuthenticator, Microsoft Server, OpenSSL, and XCA can all function as CAs.

Regardless of what kind of CA is used, involved devices must have the CA root certificate installed in order to trust the certificate that it signs.

Previous
Next