Certificates

You can configure and manage certificates from the FortiGuest GUI to secure communication with devices that make SSL connections.

• Server Certificate
• Trusted CA Certificates
• Certificate Revocation Lists

Server Certificate

You can create server certificates and manage them easily via the GUI.

1. Navigate to System > Certificates and click the Server Certificate tab.
   
2. Click Create CSR to create a Certificate Signing Request (CSR) and provide details for the certificate.
   
   

• Common Name (FQDN or IP Address) - This is either the IP address of FortiGuest or the fully qualified domain name (FQDN) for FortiGuest. The FQDN must resolve correctly in DNS.
• Organization - The name of your organization or company.
• Organizational Unit (Section) - The name of the department or business unit that owns the device.
• Locality (e.g. City) - The city where the server is located.
• State or Province - The state where the server is located.
• Country - Select the relevant country.
• The Regenerate Private Key is optional. If you regenerate your private key, the current certificate is invalidated and a new self-signed temporary certificate is generated using the new private key and CSR. If you choose to regenerate the private key, services are restarted to enable you to use the new certificate and private key.

Click Create Temporary Certificate from CSR to generate a temporary certificate from the CSR that you created in the previous step.

Click Download CSR to download the CSR on to your machine.

You can backup the certificate and private key manually in a secure location. Click Download Current SSL Certificate and Download Current SSL Private Key.

After you have sent the CSR to a Certificate Authority and obtained the CA-signed certificate in return, you can upload it to FortiGuest in the Upload Certificate section. This installs a CA signed certificate or restores Base 64 PEM format certificate files previously backed up. You must upload certificate files in Base 64 PEM format or DER format. The certificate files are not backed up as part of any backup process. You must manually back them up in the Download certificate files section. Click Upload this Server's SSL Certificate and locate the SSL certificate file you want to upload. If the private key have been created separately, then you can select both from different locations and upload them under the Upload this Server's SSL Certificate and Private Key section on the same page.

Trusted CA Certificates

FortiGuest allows you to upload trusted CA certificates so that it can trust devices that it makes SSL connections to. Locate the file using the Upload trusted CA certificate and upload it. You can also click on the Download all certificates link to download all certificates.

Certificate Revocation Lists

A certificate is irreversibly revoked if, for example, if a private key is thought to have been compromised. Certificates may also be revoked for failure of the identified entity to adhere to policy requirements specified by the CA operator or its customer. The most common reason for revocation is the user no longer being in sole possession of the private key. FortiGuest automatically uploads certificates to a revocation list and updates the certificate at a set specific time period. CRL's can be manually added to this list by entering the URL of the stored CRL into the New CRL option. Enter a time value that you wish this CRL to be updated in the Update Every field.