Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.0.16 Administration Guide
    7.0.16
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Uploading a certificate using the GUI

    Uploading a certificate using the GUI

    On the System > Certificates page, there are two options to add a certificate: Generate (use a certificate signing request) and Import.

    Generate certificate signing request

    Certificate signing requests (CSRs) are used to generate a certificate which is then signed by a CA to create a chain of trust. The CSR includes details of the FortiGate (see table below) and its public key. A CSR is not strictly necessary; some CAs allow you to provide the details of the FortiGate manually, but a CSR helps streamline the process. Selecting Generate takes you the Generate Certificate Signing Request page to enter the following information:

    Certificate Name

    Enter the certificate name; this is how it will appear in the Local Certificates list.

    Subject Information

    Specify an ID type: host IP address, domain name (FQDN), or email address.

    Optional Information

    Although listed as optional, we recommended entering the information for each field in this section.

    If you are generating a CSR for a third-party CA, you need to insure that these values reflect those listed for your company or organization at said certificate authority. If you are generating a certificate for a Microsoft CA, you need to check with the administrator regarding these values.

    Organization Unit

    Enter the name of the organizational unit under which the certificate will be issued.

    Organization

    Enter the overall name of the organization.

    Locality(City)

    Enter the city where the SSL certificate is located.

    State / Province

    Some issuers will reject a CSR that has an abbreviated state or province, so enter the full name of the state or province.

    Country / Region

    Enable the option and select the country from the dropdown.

    E-Mail

    Enter the email address of the technical contact for the SSL certificate that is being requested.

    Subject Alternative Name

    This field allows multiple domains to be used in an SSL certificate. Select from email addresses, IP addresses, URIs, DNS names, and so on.

    Password for private key

    If supplied, this is used as an encryption password for the private key file.

    Key Type

    Select RSA or Elliptic Curve.

    Key Size

    When Key Type is RSA, select 1024, 1536, 2048, or 4096 for bit-size/strength. We recommend using at least 2048 if your CA can issue certificates of that size.

    Curve Name

    When Key Type is Elliptic Curve, select the elliptic curve type: secp256r1, secp384r1, or secp521r1.

    Enrollment Method

    Select one of the following methods that determines how the CSR will be signed.

    • File Based: this will generate a certificate in the certificate menu under Local Certificate, which differs from the existing ones because it has no Subject, Comments, Issuer, or Expires values in the table. It will also show a Pending status because it is only a CSR at the moment and cannot function as a certificate just yet. You can download the CSR to provide to a CA for signing. If you open the CSR file, it should look similar to this:
      -----BEGIN CERTIFICATE REQUEST-----
MIIC7jCCAdYCAQAwgZUxCzAJBgNVBAYT (… )HEKjDX+Hg==
-----END CERTIFICATE REQUEST-----
      Next. the CSR file is supplied to a CA for signing and the returned file from the CA should be in .CER format. This file is then uploaded to the FortiGate by going to System > Certificates > Import > Local Certificate and uploading the CER file.
    • Online SCEP: the Simple Certificate Enrollment Protocol (SCEP) allows devices to enroll for a certificate by using a URL and a password. The SCEP server works as a proxy to forward the FortiGate’s request to the CA and returns the result to the FortiGate (setting up an SCEP server is beyond the scope of this topic). Once the request is approved by the SCEP server, the FortiGate will have a signed certificate containing the details provided in the CSR.

    Import

    Although Import is often used in conjunction with a CSR, you may upload a certificate to the FortiGate that was generated on its own. This is typical of wildcard certificates (*.domain.tld) where the same certificate is used across multiple devices (FGT.domain.tld, FAZ.domain.tld, and so on), but may be used for individual certificates so long as the information provided to the signing CA matches that of the FortiGate.

    When selecting Import, there are four options: Local Certificate, CA Certificate, Remote Certificate, and CRL.

    Local certificate

    Local certificates are used by the FortiGate to identify itself, or a service it provides, such as HTTPS administrative access, SSL VPN user portal, or virtual server load balancing where the FortiGate masquerades as the destination server. When selecting Local Certificate, four certificate type options appear in the Import Certificate pane:

    Local Certificate

    There is no field to upload a key with this option.

    Use this option when you have created a CSR on the FortiGate, as the key is generated as part of the CSR process and remains on the FortiGate. You will need to upload a .CER file.

    PKCS #12 Certificate

    This option takes a specific certificate file type that contains the private key. The certificate will be encrypted and a password must be supplied with the certificate file.

    Certificate

    This option is intended for certificates that were generated without using the FortiGate’s CSR. Since the certificate private key is being uploaded, a password is required. This can be done two ways:

    • Certificate file and key file (typically .CER and .PEM)

    • Certificate and key bundle file (typically .PFX)

    Automated

    This option allows you to configure the Automated Certificate Management Environment (ACME), which allows you to request and use trusted certificates signed by Let’s Encrypt (see Automatically provision a certificate for configuration details).

    CA certificate

    FortiGates come with many CA certificates from well-known certificate authorities pre-installed, just as most modern operating systems like Windows and MacOS. Use this option to add private CA certificates to the FortiGate so that certificates signed by this private CA are trusted by the FortiGate.

    For example, a private CA can be used when two FortiGates are establishing a site-to-site VPN tunnel using a certificate not signed by a public or trustworthy CA, or for your LDAPS connection to your corporate AD server that also uses a certificate signed with a private CA in your domain. It is very common to upload a private CA when using PKI user authentication, since most PKI user certificates will be signed by an internal CA.

    When selecting CA Certificate, two type options appear in the Import CA Certificate pane:

    Online SCEP

    The FortiGate contacts an SCEP server to request the CA certificate.

    File

    The CA certificate is uploaded directly to the FortiGate.

    Remote certificate

    Remote certificates are public certificates and contain only the public key. They are used to identify a remote device. For example, when configuring your FortiGate for SAML authentication with the FortiGate as an identity provider (IdP), you can optionally specify the service provider (SP) certificate. However, when configuring your FortiGate as a SP, you must specify the certificate used by the IdP. Both these certificates can be uploaded to the FortiGate as a remote certificate, since the private key is not necessary for its implementation.

    CRL

    Since it is not possible to recall a certificate, the CRL (certificate revocation list) list details certificates signed by valid CAs that should no longer be trusted. Certificates may be revoked for many reasons, such as if the certificate was issued erroneously, or if the private key of a valid certificate has been compromised. When selecting CRL, two import methods are available:

    File Based

    CAs publish a file containing the list of certificates that should no longer be trusted.

    Online Updating

    This is the preferred way to keep the list of revoked certificates up to date. Three protocols are offered: HTTP, LDAP, and SCEP.
    Previous
    Next

    Uploading a certificate using the GUI

    Uploading a certificate using the GUI

    On the System > Certificates page, there are two options to add a certificate: Generate (use a certificate signing request) and Import.

    Generate certificate signing request

    Certificate signing requests (CSRs) are used to generate a certificate which is then signed by a CA to create a chain of trust. The CSR includes details of the FortiGate (see table below) and its public key. A CSR is not strictly necessary; some CAs allow you to provide the details of the FortiGate manually, but a CSR helps streamline the process. Selecting Generate takes you the Generate Certificate Signing Request page to enter the following information:

    Certificate Name

    Enter the certificate name; this is how it will appear in the Local Certificates list.

    Subject Information

    Specify an ID type: host IP address, domain name (FQDN), or email address.

    Optional Information

    Although listed as optional, we recommended entering the information for each field in this section.

    If you are generating a CSR for a third-party CA, you need to insure that these values reflect those listed for your company or organization at said certificate authority. If you are generating a certificate for a Microsoft CA, you need to check with the administrator regarding these values.

    Organization Unit

    Enter the name of the organizational unit under which the certificate will be issued.

    Organization

    Enter the overall name of the organization.

    Locality(City)

    Enter the city where the SSL certificate is located.

    State / Province

    Some issuers will reject a CSR that has an abbreviated state or province, so enter the full name of the state or province.

    Country / Region

    Enable the option and select the country from the dropdown.

    E-Mail

    Enter the email address of the technical contact for the SSL certificate that is being requested.

    Subject Alternative Name

    This field allows multiple domains to be used in an SSL certificate. Select from email addresses, IP addresses, URIs, DNS names, and so on.

    Password for private key

    If supplied, this is used as an encryption password for the private key file.

    Key Type

    Select RSA or Elliptic Curve.

    Key Size

    When Key Type is RSA, select 1024, 1536, 2048, or 4096 for bit-size/strength. We recommend using at least 2048 if your CA can issue certificates of that size.

    Curve Name

    When Key Type is Elliptic Curve, select the elliptic curve type: secp256r1, secp384r1, or secp521r1.

    Enrollment Method

    Select one of the following methods that determines how the CSR will be signed.

    • File Based: this will generate a certificate in the certificate menu under Local Certificate, which differs from the existing ones because it has no Subject, Comments, Issuer, or Expires values in the table. It will also show a Pending status because it is only a CSR at the moment and cannot function as a certificate just yet. You can download the CSR to provide to a CA for signing. If you open the CSR file, it should look similar to this:
      -----BEGIN CERTIFICATE REQUEST-----
MIIC7jCCAdYCAQAwgZUxCzAJBgNVBAYT (… )HEKjDX+Hg==
-----END CERTIFICATE REQUEST-----
      Next. the CSR file is supplied to a CA for signing and the returned file from the CA should be in .CER format. This file is then uploaded to the FortiGate by going to System > Certificates > Import > Local Certificate and uploading the CER file.
    • Online SCEP: the Simple Certificate Enrollment Protocol (SCEP) allows devices to enroll for a certificate by using a URL and a password. The SCEP server works as a proxy to forward the FortiGate’s request to the CA and returns the result to the FortiGate (setting up an SCEP server is beyond the scope of this topic). Once the request is approved by the SCEP server, the FortiGate will have a signed certificate containing the details provided in the CSR.

    Import

    Although Import is often used in conjunction with a CSR, you may upload a certificate to the FortiGate that was generated on its own. This is typical of wildcard certificates (*.domain.tld) where the same certificate is used across multiple devices (FGT.domain.tld, FAZ.domain.tld, and so on), but may be used for individual certificates so long as the information provided to the signing CA matches that of the FortiGate.

    When selecting Import, there are four options: Local Certificate, CA Certificate, Remote Certificate, and CRL.

    Local certificate

    Local certificates are used by the FortiGate to identify itself, or a service it provides, such as HTTPS administrative access, SSL VPN user portal, or virtual server load balancing where the FortiGate masquerades as the destination server. When selecting Local Certificate, four certificate type options appear in the Import Certificate pane:

    Local Certificate

    There is no field to upload a key with this option.

    Use this option when you have created a CSR on the FortiGate, as the key is generated as part of the CSR process and remains on the FortiGate. You will need to upload a .CER file.

    PKCS #12 Certificate

    This option takes a specific certificate file type that contains the private key. The certificate will be encrypted and a password must be supplied with the certificate file.

    Certificate

    This option is intended for certificates that were generated without using the FortiGate’s CSR. Since the certificate private key is being uploaded, a password is required. This can be done two ways:

    • Certificate file and key file (typically .CER and .PEM)

    • Certificate and key bundle file (typically .PFX)

    Automated

    This option allows you to configure the Automated Certificate Management Environment (ACME), which allows you to request and use trusted certificates signed by Let’s Encrypt (see Automatically provision a certificate for configuration details).

    CA certificate

    FortiGates come with many CA certificates from well-known certificate authorities pre-installed, just as most modern operating systems like Windows and MacOS. Use this option to add private CA certificates to the FortiGate so that certificates signed by this private CA are trusted by the FortiGate.

    For example, a private CA can be used when two FortiGates are establishing a site-to-site VPN tunnel using a certificate not signed by a public or trustworthy CA, or for your LDAPS connection to your corporate AD server that also uses a certificate signed with a private CA in your domain. It is very common to upload a private CA when using PKI user authentication, since most PKI user certificates will be signed by an internal CA.

    When selecting CA Certificate, two type options appear in the Import CA Certificate pane:

    Online SCEP

    The FortiGate contacts an SCEP server to request the CA certificate.

    File

    The CA certificate is uploaded directly to the FortiGate.

    Remote certificate

    Remote certificates are public certificates and contain only the public key. They are used to identify a remote device. For example, when configuring your FortiGate for SAML authentication with the FortiGate as an identity provider (IdP), you can optionally specify the service provider (SP) certificate. However, when configuring your FortiGate as a SP, you must specify the certificate used by the IdP. Both these certificates can be uploaded to the FortiGate as a remote certificate, since the private key is not necessary for its implementation.

    CRL

    Since it is not possible to recall a certificate, the CRL (certificate revocation list) list details certificates signed by valid CAs that should no longer be trusted. Certificates may be revoked for many reasons, such as if the certificate was issued erroneously, or if the private key of a valid certificate has been compromised. When selecting CRL, two import methods are available:

    File Based

    CAs publish a file containing the list of certificates that should no longer be trusted.

    Online Updating

    This is the preferred way to keep the list of revoked certificates up to date. Three protocols are offered: HTTP, LDAP, and SCEP.
    Previous
    Next