Fortinet black logo

Administration Guide

Creating certificates with XCA

Creating certificates with XCA

This topic explains how to generate various certificates to be used in conjunction with a FortiGate, including:

  • CA certificate
    • Signing server and client certificates
    • Issuing subordinate CAs for deep inspection
  • Server certificate
    • SSL/TLS web administration authentication
    • VPN authentication
    • Internal SSL server protection
  • Client certificate
    • End user authentication for SSL or IPsec VPN

XCA is an x509 certificate generation tool that handles RSA, DSA, and EC keys, as well as certificate signing requests (PKCS #10) and CRLs.

Note

There are several options for generating and managing certificates. This topic covers basic certificate generation for XCA. It is not a comprehensive guide to its application and does not explore all options available when generating a certificate.

Creating the XCA database

Before creating any certificates, you must create an XCA database to group the certificates in. You should use a different database for each PKI you create.

To create the database:
  1. Go to File > New Database.
  2. Select a directory to store the created certificates and keys.
  3. Enter a name. The provided password encrypts the private keys and is used to access the XCA database in the future.

The remaining procedures in this topic assume you are using this XCA database.

Creating a CA certificate

A CA certificate marks the root of a certificate chain. If this CA certificate is trusted by an end entity, any certificates signed by the CA certificate are also trusted.

To create a CA certificate:
  1. Click the Certificates tab, then click New Certificate.
  2. Edit the Source tab:
    1. Set Template for the new certificate to [default] CA.
    2. Click Apply extensions.

  3. Edit the Subject tab:
    1. Enter an Internal Name to reference this certificate within XCA.
    2. Enter a commonName.
    3. Optionally, click Add to add other distinguished name fields.
    4. Since this XCA database does not contain any keys yet, click Generate a new key. The Private key field is now populated.

  4. Optionally, edit the Extensions tab:
    1. Adjust the Time range if needed.
    2. Click Apply.
  5. Click OK.

Issuing a subordinate CA certificate for deep inspection

Subordinate CA certificates are similar to CA certificates because they are used to sign other certificates to establish trust of the signed certificate's content. This trust of the signed certificate is only valid if the subordinate CA is also trusted by the client.

When performing deep inspection on a FortiGate, the FortiGate proxies the connection between the endpoint and the server. This is done transparently so that the end user believes they are communicating with the server, and the server with the client. To do this, when the webpage is requested by a client, the FortiGate must present a certificate that matches the requested website and is trusted by the client.

The certificate presented by the FortiGate is generated on-demand to match the requested website and is signed by this subordinate CA to establish trust with the requesting endpoint. The subordinate CA must be installed on the ForitGate (with the private key) and on the client device (without the private key).

A subordinate CA is used in place of a CA so that it may be revoked as necessary. This is critical since the subordinate CA’s private key is exported and becomes susceptible of being compromised. If the CA private key becomes compromised, you would be forced to re-create your entire PKI with a new root CA because root CAs cannot be revoked. See Microsoft CA deep packet inspection for more information about using subordinate CA certificates.

To issue a subordinate CA certificate for deep inspection:
  1. Click the Certificates tab, then click New Certificate.
  2. Edit the Source tab:
    1. Set Use this Certificate for signing to the CA created previously.
    2. Set Template for the new certificate to [default] CA.
    3. Click Apply extensions.
  3. Edit the Subject tab:
    1. Enter an Internal Name to reference this certificate within XCA.
    2. Enter a commonName.
    3. Optionally, click Add to add other distinguished name fields.
    4. Click Generate a new key to create a new private key for the subordinate CA.

  4. Optionally, edit the Extensions tab:
    1. Adjust the Time range if needed.
    2. Click Apply.
  5. Click OK.

Creating a server host certificate

When a CA signs a host certificate, that CA is vouching for the credentials in the certificate. These credentials are what identifies the host.

Some endpoints can generate a certificate signing request (CSR). A CSR is a certificate outline that specifies the details of the endpoint, including its public key. This allows the CA to review the details and sign the request if they are true. This request is then returned or uploaded to the generating endpoint to be used.

Since some endpoints cannot generate their own CSR, you can create the certificate manually in XCA. If you already have a CSR, use the Certificate signing requests tab to import and then sign it.

To create a server host certificate:
  1. Click the Certificates tab, then click New Certificate.
  2. Edit the Source tab:
    1. Set Template for the new certificate to [default] TLS_server.
    2. Click Apply extensions.
    3. In the Signing section, select Use this Certificate for signing and select the subordinate CA certificate.
  3. Edit the Subject tab:
    1. Enter an Internal Name to reference this certificate within XCA.
    2. Enter the distinguished name fields as needed.
    3. Click Generate a new key.

  4. Edit the Extensions tab:
    1. For X509v3 Subject Alternative Name, enter email:user@domain.tld.
  5. Click OK.
  6. Click the Certificates tab to view the certificate.

This certificate may be used to identify an SSL or TLS server by uploading the certificate and key pair to the server, such as when the FortiGate presents the administrative webpage or for SSL VPN authentication (see Configure your FortiGate to use the signed certificate). Another use case for a server host certificate is to enable SSL server protection so the FortiGate simulates the real server and brokers the connection (see Protecting an SSL server).

Creating a client host certificate

A client host certificate is used to identify an end entity in a more secure way than a username and password. Once the client host certificate is generated, see SSL VPN with certificate authentication for more information about using the certificate.

To create a client host certificate:
  1. Click the Certificates tab, then click New Certificate.
  2. Edit the Source tab:
    1. In the Signing section, select Use this Certificate for signing and select the CA or subordinate CA.
    2. Set Template for the new certificate to [default] TLS_client.
    3. Click Apply extensions.
  3. Edit the Subject tab:
    1. Enter an Internal Name to reference this certificate within XCA.
    2. Enter the distinguished name fields as needed.
    3. Click Generate a new key.

  4. Click OK.
  5. Click the Certificates tab. The FortiGate and client certificates are listed under the signing CA certificate and are ready to be exported.

  6. Select a certificate and click Export.
  7. Enter the file name and select an export format.
  8. Click OK.

Certificate formats

Certificate file formats indicate what is contained in the file, how it is formatted, and how it is encoded. See Uploading a certificate using the GUI for more information about which formats the FortiGate expects for a given certificate type.

Creating certificates with XCA

This topic explains how to generate various certificates to be used in conjunction with a FortiGate, including:

  • CA certificate
    • Signing server and client certificates
    • Issuing subordinate CAs for deep inspection
  • Server certificate
    • SSL/TLS web administration authentication
    • VPN authentication
    • Internal SSL server protection
  • Client certificate
    • End user authentication for SSL or IPsec VPN

XCA is an x509 certificate generation tool that handles RSA, DSA, and EC keys, as well as certificate signing requests (PKCS #10) and CRLs.

Note

There are several options for generating and managing certificates. This topic covers basic certificate generation for XCA. It is not a comprehensive guide to its application and does not explore all options available when generating a certificate.

Creating the XCA database

Before creating any certificates, you must create an XCA database to group the certificates in. You should use a different database for each PKI you create.

To create the database:
  1. Go to File > New Database.
  2. Select a directory to store the created certificates and keys.
  3. Enter a name. The provided password encrypts the private keys and is used to access the XCA database in the future.

The remaining procedures in this topic assume you are using this XCA database.

Creating a CA certificate

A CA certificate marks the root of a certificate chain. If this CA certificate is trusted by an end entity, any certificates signed by the CA certificate are also trusted.

To create a CA certificate:
  1. Click the Certificates tab, then click New Certificate.
  2. Edit the Source tab:
    1. Set Template for the new certificate to [default] CA.
    2. Click Apply extensions.

  3. Edit the Subject tab:
    1. Enter an Internal Name to reference this certificate within XCA.
    2. Enter a commonName.
    3. Optionally, click Add to add other distinguished name fields.
    4. Since this XCA database does not contain any keys yet, click Generate a new key. The Private key field is now populated.

  4. Optionally, edit the Extensions tab:
    1. Adjust the Time range if needed.
    2. Click Apply.
  5. Click OK.

Issuing a subordinate CA certificate for deep inspection

Subordinate CA certificates are similar to CA certificates because they are used to sign other certificates to establish trust of the signed certificate's content. This trust of the signed certificate is only valid if the subordinate CA is also trusted by the client.

When performing deep inspection on a FortiGate, the FortiGate proxies the connection between the endpoint and the server. This is done transparently so that the end user believes they are communicating with the server, and the server with the client. To do this, when the webpage is requested by a client, the FortiGate must present a certificate that matches the requested website and is trusted by the client.

The certificate presented by the FortiGate is generated on-demand to match the requested website and is signed by this subordinate CA to establish trust with the requesting endpoint. The subordinate CA must be installed on the ForitGate (with the private key) and on the client device (without the private key).

A subordinate CA is used in place of a CA so that it may be revoked as necessary. This is critical since the subordinate CA’s private key is exported and becomes susceptible of being compromised. If the CA private key becomes compromised, you would be forced to re-create your entire PKI with a new root CA because root CAs cannot be revoked. See Microsoft CA deep packet inspection for more information about using subordinate CA certificates.

To issue a subordinate CA certificate for deep inspection:
  1. Click the Certificates tab, then click New Certificate.
  2. Edit the Source tab:
    1. Set Use this Certificate for signing to the CA created previously.
    2. Set Template for the new certificate to [default] CA.
    3. Click Apply extensions.
  3. Edit the Subject tab:
    1. Enter an Internal Name to reference this certificate within XCA.
    2. Enter a commonName.
    3. Optionally, click Add to add other distinguished name fields.
    4. Click Generate a new key to create a new private key for the subordinate CA.

  4. Optionally, edit the Extensions tab:
    1. Adjust the Time range if needed.
    2. Click Apply.
  5. Click OK.

Creating a server host certificate

When a CA signs a host certificate, that CA is vouching for the credentials in the certificate. These credentials are what identifies the host.

Some endpoints can generate a certificate signing request (CSR). A CSR is a certificate outline that specifies the details of the endpoint, including its public key. This allows the CA to review the details and sign the request if they are true. This request is then returned or uploaded to the generating endpoint to be used.

Since some endpoints cannot generate their own CSR, you can create the certificate manually in XCA. If you already have a CSR, use the Certificate signing requests tab to import and then sign it.

To create a server host certificate:
  1. Click the Certificates tab, then click New Certificate.
  2. Edit the Source tab:
    1. Set Template for the new certificate to [default] TLS_server.
    2. Click Apply extensions.
    3. In the Signing section, select Use this Certificate for signing and select the subordinate CA certificate.
  3. Edit the Subject tab:
    1. Enter an Internal Name to reference this certificate within XCA.
    2. Enter the distinguished name fields as needed.
    3. Click Generate a new key.

  4. Edit the Extensions tab:
    1. For X509v3 Subject Alternative Name, enter email:user@domain.tld.
  5. Click OK.
  6. Click the Certificates tab to view the certificate.

This certificate may be used to identify an SSL or TLS server by uploading the certificate and key pair to the server, such as when the FortiGate presents the administrative webpage or for SSL VPN authentication (see Configure your FortiGate to use the signed certificate). Another use case for a server host certificate is to enable SSL server protection so the FortiGate simulates the real server and brokers the connection (see Protecting an SSL server).

Creating a client host certificate

A client host certificate is used to identify an end entity in a more secure way than a username and password. Once the client host certificate is generated, see SSL VPN with certificate authentication for more information about using the certificate.

To create a client host certificate:
  1. Click the Certificates tab, then click New Certificate.
  2. Edit the Source tab:
    1. In the Signing section, select Use this Certificate for signing and select the CA or subordinate CA.
    2. Set Template for the new certificate to [default] TLS_client.
    3. Click Apply extensions.
  3. Edit the Subject tab:
    1. Enter an Internal Name to reference this certificate within XCA.
    2. Enter the distinguished name fields as needed.
    3. Click Generate a new key.

  4. Click OK.
  5. Click the Certificates tab. The FortiGate and client certificates are listed under the signing CA certificate and are ready to be exported.

  6. Select a certificate and click Export.
  7. Enter the file name and select an export format.
  8. Click OK.

Certificate formats

Certificate file formats indicate what is contained in the file, how it is formatted, and how it is encoded. See Uploading a certificate using the GUI for more information about which formats the FortiGate expects for a given certificate type.