Fortinet black logo

Administration Guide

Generate a CSR

Certificate signing requests (CSRs) are used to generate a certificate which is then signed by a CA to create a chain of trust. The CSR includes details about the FortiGate and its public key. A CSR is not strictly necessary; some CAs allow you to provide the details of the FortiGate manually, but a CSR helps streamline the process.

To generate a CSR in the GUI:
  1. Go to System > Certificates and select Create/Import > Generate CSR.

  2. Enter the following information:

    Certificate Name

    Enter the certificate name; this is how it will appear in the Local Certificates list.

    Subject Information

    Specify an ID type: host IP address, domain name (FQDN), or email address.

    Optional Information

    Although listed as optional, we recommended entering the information for each field in this section.

    If you are generating a CSR for a third-party CA, you need to insure that these values reflect those listed for your company or organization at said certificate authority. If you are generating a certificate for a Microsoft CA, you need to check with the administrator regarding these values.

    Organization Unit

    Enter the name of the organizational unit under which the certificate will be issued.

    Organization

    Enter the overall name of the organization.

    Locality(City)

    Enter the city where the SSL certificate is located.

    State / Province

    Some issuers will reject a CSR that has an abbreviated state or province, so enter the full name of the state or province.

    Country / Region

    Enable the option and select the country from the dropdown.

    E-Mail

    Enter the email address of the technical contact for the SSL certificate that is being requested.

    Subject Alternative Name

    This field allows multiple domains to be used in an SSL certificate. Select from email addresses, IP addresses, URIs, DNS names, and so on.

    Password for private key

    If supplied, this is used as an encryption password for the private key file.

    Key Type

    Select RSA or Elliptic Curve.

    Key Size

    When Key Type is RSA, select 1024, 1536, 2048, or 4096 for bit-size/strength. We recommend using at least 2048 if your CA can issue certificates of that size.

    Curve Name

    When Key Type is Elliptic Curve, select the elliptic curve type: secp256r1, secp384r1, or secp521r1.

    Enrollment Method

    Select one of the following methods that determines how the CSR will be signed.

    • File Based: this will generate a certificate in the certificate menu under Local Certificate, which differs from the existing ones because it has no Subject, Comments, Issuer, or Expires values in the table. It will also show a Pending status because it is only a CSR at the moment and cannot function as a certificate just yet. You can download the CSR to provide to a CA for signing. If you open the CSR file, it should look similar to this:
      -----BEGIN CERTIFICATE REQUEST-----
      MIIC7jCCAdYCAQAwgZUxCzAJBgNVBAYT (… )HEKjDX+Hg==
      -----END CERTIFICATE REQUEST-----
      Next. the CSR file is supplied to a CA for signing and the returned file from the CA should be in .CER format. This file is then uploaded to the FortiGate by going to System > Certificates > Import > Local Certificate and uploading the CER file.
    • Online SCEP: the Simple Certificate Enrollment Protocol (SCEP) allows devices to enroll for a certificate by using a URL and a password. The SCEP server works as a proxy to forward the FortiGate’s request to the CA and returns the result to the FortiGate (setting up an SCEP server is beyond the scope of this topic). Once the request is approved by the SCEP server, the FortiGate will have a signed certificate containing the details provided in the CSR.
  3. Click OK.

    The CSR generated, and can be downloaded from the local certificate list.

To generate a CSR in the CLI:
# execute vpn certificate local generate cmp <certificate_name> <key_size> <server> <path> <server_certificate> <auth_certificate> <user> <password> <subject> [SANs] [source_IP]
# execute vpn certificate local generate ec <certificate_name> <curve_name> <subject> <country> <state/province> <city> <organization> <OU> <email> [SANs] [options]
# execute vpn certificate local generate rsa <certificate_name> <key_size> <subject> <country> <state/province> <city> <organization> <OU> <email> [SANs] [options]

cmp

Generate a certificate request over CMPv2.

ec

Generate an elliptic curve certificate request.

rsa

Generate a RSA certificate request.

Certificate signing requests (CSRs) are used to generate a certificate which is then signed by a CA to create a chain of trust. The CSR includes details about the FortiGate and its public key. A CSR is not strictly necessary; some CAs allow you to provide the details of the FortiGate manually, but a CSR helps streamline the process.

To generate a CSR in the GUI:
  1. Go to System > Certificates and select Create/Import > Generate CSR.

  2. Enter the following information:

    Certificate Name

    Enter the certificate name; this is how it will appear in the Local Certificates list.

    Subject Information

    Specify an ID type: host IP address, domain name (FQDN), or email address.

    Optional Information

    Although listed as optional, we recommended entering the information for each field in this section.

    If you are generating a CSR for a third-party CA, you need to insure that these values reflect those listed for your company or organization at said certificate authority. If you are generating a certificate for a Microsoft CA, you need to check with the administrator regarding these values.

    Organization Unit

    Enter the name of the organizational unit under which the certificate will be issued.

    Organization

    Enter the overall name of the organization.

    Locality(City)

    Enter the city where the SSL certificate is located.

    State / Province

    Some issuers will reject a CSR that has an abbreviated state or province, so enter the full name of the state or province.

    Country / Region

    Enable the option and select the country from the dropdown.

    E-Mail

    Enter the email address of the technical contact for the SSL certificate that is being requested.

    Subject Alternative Name

    This field allows multiple domains to be used in an SSL certificate. Select from email addresses, IP addresses, URIs, DNS names, and so on.

    Password for private key

    If supplied, this is used as an encryption password for the private key file.

    Key Type

    Select RSA or Elliptic Curve.

    Key Size

    When Key Type is RSA, select 1024, 1536, 2048, or 4096 for bit-size/strength. We recommend using at least 2048 if your CA can issue certificates of that size.

    Curve Name

    When Key Type is Elliptic Curve, select the elliptic curve type: secp256r1, secp384r1, or secp521r1.

    Enrollment Method

    Select one of the following methods that determines how the CSR will be signed.

    • File Based: this will generate a certificate in the certificate menu under Local Certificate, which differs from the existing ones because it has no Subject, Comments, Issuer, or Expires values in the table. It will also show a Pending status because it is only a CSR at the moment and cannot function as a certificate just yet. You can download the CSR to provide to a CA for signing. If you open the CSR file, it should look similar to this:
      -----BEGIN CERTIFICATE REQUEST-----
      MIIC7jCCAdYCAQAwgZUxCzAJBgNVBAYT (… )HEKjDX+Hg==
      -----END CERTIFICATE REQUEST-----
      Next. the CSR file is supplied to a CA for signing and the returned file from the CA should be in .CER format. This file is then uploaded to the FortiGate by going to System > Certificates > Import > Local Certificate and uploading the CER file.
    • Online SCEP: the Simple Certificate Enrollment Protocol (SCEP) allows devices to enroll for a certificate by using a URL and a password. The SCEP server works as a proxy to forward the FortiGate’s request to the CA and returns the result to the FortiGate (setting up an SCEP server is beyond the scope of this topic). Once the request is approved by the SCEP server, the FortiGate will have a signed certificate containing the details provided in the CSR.
  3. Click OK.

    The CSR generated, and can be downloaded from the local certificate list.

To generate a CSR in the CLI:
# execute vpn certificate local generate cmp <certificate_name> <key_size> <server> <path> <server_certificate> <auth_certificate> <user> <password> <subject> [SANs] [source_IP]
# execute vpn certificate local generate ec <certificate_name> <curve_name> <subject> <country> <state/province> <city> <organization> <OU> <email> [SANs] [options]
# execute vpn certificate local generate rsa <certificate_name> <key_size> <subject> <country> <state/province> <city> <organization> <OU> <email> [SANs] [options]

cmp

Generate a certificate request over CMPv2.

ec

Generate an elliptic curve certificate request.

rsa

Generate a RSA certificate request.