Server certificates
This view allows the administrator to install SSL server certificates in order to encrypt connections with FortiNAC. Different features in FortiNAC require certificates. The Certificate Target is used to specify the feature to which the certificate will be applied. See Certificate Target in the Settings table below for more details.
Settings
Field |
Definition |
||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Add Filter |
Allows you to select a field from the current view to filter information. Select the field from the drop-down list, and then enter the information you wish to filter. See Filters. |
||||||||||||||||||
Update |
Displays the filtered data in the table. |
||||||||||||||||||
Certificate Target |
The component where the certificate is applied.
|
||||||||||||||||||
Alias |
Indicates how the certificate is stored in the underlying Keystore. |
||||||||||||||||||
Issued To |
The server that received the certificate. Displays information entered when generating the CSR. |
||||||||||||||||||
Issued By |
The CA that issued the certificate. |
||||||||||||||||||
Expiration |
The date when the certificate expires and a new certificate is required. Users can map events to alarms when the certificate will expire or has expired. See Map events to alarms. |
||||||||||||||||||
Export |
Exports the data displayed to a file in the default downloads location. File types include CSV, Excel, PDF, or RTF. See Export data. |
||||||||||||||||||
Buttons |
|||||||||||||||||||
Generate CSR |
Opens the Generate CSR window to enter the CSR details. |
||||||||||||||||||
Upload Certificate |
Opens the Upload Certificate window to find and select the key and certificate. High Availability Note: The UI does not have the option to install certificates on both the primary and secondary servers at the same time. Certificates uploaded using this view apply to the server currently in control. |
||||||||||||||||||
Details |
Opens the details and private key information for the selected target. |
Obtaining a certificate from a CA
If you do not already have a certificate, you must obtain a certificate from a Certificate Authority (CA). FortiNAC does not have the ability to issue certificates.
To obtain a valid third party SSL certificate from a CA, you must generate a CSR and send it to the CA.
- Go to System > Certificate Management
- Click Generate CSR.
-
Select the certificate target to which the certificate will be applied.
- Enter the Common Name. This is the hostname to be secured by the certificate. If generating a wildcard CSR, enter the desired domain specifying the wildcard in the Common Name field (Example: *.example.com).
- Enter the Subject Alternative Names (leave blank if not requesting a SAN certificate). Click Add to enter each additional hostname and/or IP address.
- Enter the remaining information for the certificate in the dialog box:
- Organization: The name of the server's organization.
- Organizational Unit: The name of the server's unit (department).
- Locality (City): The city where the server is located.
- State/Province: The state/province where the server is located.
- 2 Letter Country Code: The country code where the server is located.
- Click OK to generate the CSR.
- Copy the section with the certificate request to include the following:
-----BEGIN CERTIFICATE REQUEST-----
...Certificate Request Data...
-----END CERTIFICATE REQUEST-----
- Paste it into a text file, and save the file with a .txt extension. Note the location of this file on your PC. Make sure there are no spaces, characters, or carriage returns added to the certificate.
- Send the certificate file to the CA to request a valid SSL certificate.
Important Notes:
- Do not click OK in the Generate CSR screen after saving the certificate file and sending to the CA. Each time OK is clicked on the Generate CSR screen, a new CSR and private key are created, overwriting any previous private key. Consequently, if a certificate file has been submitted to the CA, and OK has been clicked since the original certificate was generated, the returned certificate will not match the current private key, and a new request will have to be issued and sent to the CA.
-
Not all certificate Authorities ask for the same information when requesting a certificate. For example, some CA's ask for a server type (Apache, etc) while others do not. FortiNAC requires a non-encrypted certificate in one of the following formats:
- PEM
- DER
- PKCS#7
- P7B
This will allow the certificate to be applied to any of the desired components.
If the certificate is in PEM format, opening the certificate in a text editor should look something like the following format:
-----BEGIN CERTIFICATE1-----
fjkghwjernlsfuigylerkjlkfjnu23jnlkjbliu5ghl6kh4
fjkjlkfjnu23jnlkjbliu5ghl6khkghwjernlsfuigyler4
ghwjernlsfuigylerkjlkfjnu23jnlkjbliu5fjkghl6kh4
-----END CERTIFICTATE1-----
-----BEGIN CERTIFICATE2----
fjkghwjernlsfuigylerkjlkfjnu23jnlkjbliu5ghl6kh4
fjkjlkfjnu23jnlkjbliu5ghl6khkghwjernlsfuigyler4
ghwjernlsfuigylerkjlkfjnu23jnlkjbliu5fjkghl6kh4
-----END CERTIFCATE2-----
Certificate requests generated on FortiNAC use the SHA1 RSA encryption signature. However, certificates with SHA2 encryption can be requested using this CSR.
Upload the certificate
Upload the valid SSL certificate to the appliance when the certificate file is returned from the CA. Certificate files can be returned to you in one of several configurations. Depending upon the CA, one or multiple certificate files may be returned.
- Save the file(s) received from the CA to your PC.
- Select System > Certificate Management
- Click Upload Certificate.
-
Select the certificate target to which the certificate will be applied.
- Do one of the following:
- Select Use Private Key from Last Generated CSR to use the key from the most recent CSR for the selected target.
- Select Reuse Private Key from Existing Certificate to use the private key for the certificate currently in use. This option is for renewing an existing installed certificate.
- Select Upload Private Key to upload a key stored outside FortiNAC. Click Choose to find and upload the private key.
- Click Choose File to find and select the certificate to be uploaded. Users can also upload CA certificates and CA bundles.
Upload any relevant intermediate certificate files needed for the creation of a complete certificate chain of authority. The CA should be able to provide these files. Without a complete certificate chain of authority, the target functionality may produce error/warning messages.
- Click Add Certificate if multiple certificates were returned. Use this to enter each additional certificate file.
- Click OK.
Copying a certificate to another target
If the certificate is intended to be used for multiple targets, copy the certificate to the new target:
- Highlight the target with the desired certificate installed.
- Click Copy Certificate.
- Select the new target from the drop-down menu.
- Click OK.
Activating Portal certificates (vF7.2.5 and lower)
Certificates for the and Portal (vF7.2.6 and above), Admin UI and Persistent Agent are activated automatically upon installation. No further action is required.
To begin using the certificate when connecting to the Portal, do the following:
- Navigate to Portal > Portal SSL
- In the SSL Mode field, select Valid SSL Certificate.
- Click Save Settings (this may take several minutes).
View the details and private key information for a certificate
Users can view the certificate details and private key information for the selected target.
- Click System > Certificate Management
- Click Details.