Fortinet white logo
Fortinet white logo

Administration Guide

7.2.0

Server certificates

Server certificates

This view allows the administrator to install SSL server certificates in order to encrypt connections with FortiNAC. Different features in FortiNAC require certificates. The Certificate Target is used to specify the feature to which the certificate will be applied. See Certificate Target in the Settings table below for more details.

Settings

Field

Definition

Add Filter

Allows you to select a field from the current view to filter information. Select the field from the drop-down list, and then enter the information you wish to filter. See Filters.

Update

Displays the filtered data in the table.

Certificate Target

The component where the certificate is applied.

Target

Description

Admin UI

Used to secure connections with the Administration UI.

Local RADIUS Server (RadSec)

Used to secure connections between FortiNAC and RadSec clients sending authentication requests. See Configure Local RADIUS Server Settings.

Local RADIUS Server (EAP)[radius]

Used to secure the connection for the DefaultConfig Virtual Server in Local RADIUS mode. See Virtual Servers.

Portal

Used to secure connections involving the Dissolvable Agent or captive portal. See Portal SSL for details.

Persistent Agent

Used to secure connections between FortiNAC and Persistent Agents.

New Local RADIUS Server Target (EAP)

Used to secure the connection for a RADIUS server when multiple Local RADIUS server configurations are required. See Virtual Servers.

Remote API [remote_api]

(vF7.2.6 and greater)

Used for installing certificates for (such as for Microsoft InTune MDM). This is the default api target with a pre-defined alias of “remote_api.” The alias cannot be changed.

New Remote API Target

(vF7.2.6 and greater)

Used for installing certificates for a custom alias (such as Microsoft InTune MDM).

Example: Remote API[msintune]

Alias

Indicates how the certificate is stored in the underlying Keystore.

Issued To

The server that received the certificate. Displays information entered when generating the CSR.

Issued By

The CA that issued the certificate.

Expiration

The date when the certificate expires and a new certificate is required.

Users can map events to alarms when the certificate will expire or has expired. See Map events to alarms.

Export

Exports the data displayed to a file in the default downloads location. File types include CSV, Excel, PDF, or RTF. See Export data.

Buttons

Generate CSR

Opens the Generate CSR window to enter the CSR details.

Upload Certificate

Opens the Upload Certificate window to find and select the key and certificate.

High Availability Note: The UI does not have the option to install certificates on both the primary and secondary servers at the same time. Certificates uploaded using this view apply to the server currently in control.

Details

Opens the details and private key information for the selected target.

Obtaining a certificate from a CA

If you do not already have a certificate, you must obtain a certificate from a Certificate Authority (CA). FortiNAC does not have the ability to issue certificates.

To obtain a valid third party SSL certificate from a CA, you must generate a CSR and send it to the CA.

  1. Go to System > Certificate Management
  2. Click Generate CSR.
  3. Select the certificate target to which the certificate will be applied.

  4. Enter the Common Name. This is the hostname to be secured by the certificate. If generating a wildcard CSR, enter the desired domain specifying the wildcard in the Common Name field (Example: *.example.com).
  5. Enter the Subject Alternative Names (leave blank if not requesting a SAN certificate). Click Add to enter each additional hostname and/or IP address.
  6. Enter the remaining information for the certificate in the dialog box:
    • Organization: The name of the server's organization.
    • Organizational Unit: The name of the server's unit (department).
    • Locality (City): The city where the server is located.
    • State/Province: The state/province where the server is located.
    • 2 Letter Country Code: The country code where the server is located.
  7. Click OK to generate the CSR.
  8. Copy the section with the certificate request to include the following:

    -----BEGIN CERTIFICATE REQUEST-----

    ...Certificate Request Data...

    -----END CERTIFICATE REQUEST-----

  9. Paste it into a text file, and save the file with a .txt extension. Note the location of this file on your PC. Make sure there are no spaces, characters, or carriage returns added to the certificate.
  10. Send the certificate file to the CA to request a valid SSL certificate.
Important Notes:
  • Do not click OK in the Generate CSR screen after saving the certificate file and sending to the CA. Each time OK is clicked on the Generate CSR screen, a new CSR and private key are created, overwriting any previous private key. Consequently, if a certificate file has been submitted to the CA, and OK has been clicked since the original certificate was generated, the returned certificate will not match the current private key, and a new request will have to be issued and sent to the CA.
  • Not all certificate Authorities ask for the same information when requesting a certificate. For example, some CA's ask for a server type (Apache, etc) while others do not. FortiNAC requires a non-encrypted certificate in one of the following formats:

    • PEM
    • DER
    • PKCS#7
    • P7B

    This will allow the certificate to be applied to any of the desired components.

    If the certificate is in PEM format, opening the certificate in a text editor should look something like the following format:

    -----BEGIN CERTIFICATE1-----

    fjkghwjernlsfuigylerkjlkfjnu23jnlkjbliu5ghl6kh4

    fjkjlkfjnu23jnlkjbliu5ghl6khkghwjernlsfuigyler4

    ghwjernlsfuigylerkjlkfjnu23jnlkjbliu5fjkghl6kh4

    -----END CERTIFICTATE1-----

    -----BEGIN CERTIFICATE2----

    fjkghwjernlsfuigylerkjlkfjnu23jnlkjbliu5ghl6kh4

    fjkjlkfjnu23jnlkjbliu5ghl6khkghwjernlsfuigyler4

    ghwjernlsfuigylerkjlkfjnu23jnlkjbliu5fjkghl6kh4

    -----END CERTIFCATE2-----

    Certificate requests generated on FortiNAC use the SHA1 RSA encryption signature. However, certificates with SHA2 encryption can be requested using this CSR.

Upload the certificate

Upload the valid SSL certificate to the appliance when the certificate file is returned from the CA. Certificate files can be returned to you in one of several configurations. Depending upon the CA, one or multiple certificate files may be returned.

  1. Save the file(s) received from the CA to your PC.
  2. Select System > Certificate Management
  3. Click Upload Certificate.
  4. Select the certificate target to which the certificate will be applied.

  5. Do one of the following:
    • Select Use Private Key from Last Generated CSR to use the key from the most recent CSR for the selected target.
    • Select Reuse Private Key from Existing Certificate to use the private key for the certificate currently in use. This option is for renewing an existing installed certificate.
    • Select Upload Private Key to upload a key stored outside FortiNAC. Click Choose to find and upload the private key.
  6. Click Choose File to find and select the certificate to be uploaded. Users can also upload CA certificates and CA bundles.

    Upload any relevant intermediate certificate files needed for the creation of a complete certificate chain of authority. The CA should be able to provide these files. Without a complete certificate chain of authority, the target functionality may produce error/warning messages.

  7. Click Add Certificate if multiple certificates were returned. Use this to enter each additional certificate file.
  8. Click OK.

Copying a certificate to another target

If the certificate is intended to be used for multiple targets, copy the certificate to the new target:

  1. Highlight the target with the desired certificate installed.
  2. Click Copy Certificate.
  3. Select the new target from the drop-down menu.
  4. Click OK.

Activating Portal certificates (vF7.2.5 and lower)

Certificates for the and Portal (vF7.2.6 and above), Admin UI and Persistent Agent are activated automatically upon installation. No further action is required.

To begin using the certificate when connecting to the Portal, do the following:

  1. Navigate to Portal > Portal SSL
  2. In the SSL Mode field, select Valid SSL Certificate.
  3. Click Save Settings (this may take several minutes).

View the details and private key information for a certificate

Users can view the certificate details and private key information for the selected target.

  1. Click System > Certificate Management
  2. Click Details.

Server certificates

Server certificates

This view allows the administrator to install SSL server certificates in order to encrypt connections with FortiNAC. Different features in FortiNAC require certificates. The Certificate Target is used to specify the feature to which the certificate will be applied. See Certificate Target in the Settings table below for more details.

Settings

Field

Definition

Add Filter

Allows you to select a field from the current view to filter information. Select the field from the drop-down list, and then enter the information you wish to filter. See Filters.

Update

Displays the filtered data in the table.

Certificate Target

The component where the certificate is applied.

Target

Description

Admin UI

Used to secure connections with the Administration UI.

Local RADIUS Server (RadSec)

Used to secure connections between FortiNAC and RadSec clients sending authentication requests. See Configure Local RADIUS Server Settings.

Local RADIUS Server (EAP)[radius]

Used to secure the connection for the DefaultConfig Virtual Server in Local RADIUS mode. See Virtual Servers.

Portal

Used to secure connections involving the Dissolvable Agent or captive portal. See Portal SSL for details.

Persistent Agent

Used to secure connections between FortiNAC and Persistent Agents.

New Local RADIUS Server Target (EAP)

Used to secure the connection for a RADIUS server when multiple Local RADIUS server configurations are required. See Virtual Servers.

Remote API [remote_api]

(vF7.2.6 and greater)

Used for installing certificates for (such as for Microsoft InTune MDM). This is the default api target with a pre-defined alias of “remote_api.” The alias cannot be changed.

New Remote API Target

(vF7.2.6 and greater)

Used for installing certificates for a custom alias (such as Microsoft InTune MDM).

Example: Remote API[msintune]

Alias

Indicates how the certificate is stored in the underlying Keystore.

Issued To

The server that received the certificate. Displays information entered when generating the CSR.

Issued By

The CA that issued the certificate.

Expiration

The date when the certificate expires and a new certificate is required.

Users can map events to alarms when the certificate will expire or has expired. See Map events to alarms.

Export

Exports the data displayed to a file in the default downloads location. File types include CSV, Excel, PDF, or RTF. See Export data.

Buttons

Generate CSR

Opens the Generate CSR window to enter the CSR details.

Upload Certificate

Opens the Upload Certificate window to find and select the key and certificate.

High Availability Note: The UI does not have the option to install certificates on both the primary and secondary servers at the same time. Certificates uploaded using this view apply to the server currently in control.

Details

Opens the details and private key information for the selected target.

Obtaining a certificate from a CA

If you do not already have a certificate, you must obtain a certificate from a Certificate Authority (CA). FortiNAC does not have the ability to issue certificates.

To obtain a valid third party SSL certificate from a CA, you must generate a CSR and send it to the CA.

  1. Go to System > Certificate Management
  2. Click Generate CSR.
  3. Select the certificate target to which the certificate will be applied.

  4. Enter the Common Name. This is the hostname to be secured by the certificate. If generating a wildcard CSR, enter the desired domain specifying the wildcard in the Common Name field (Example: *.example.com).
  5. Enter the Subject Alternative Names (leave blank if not requesting a SAN certificate). Click Add to enter each additional hostname and/or IP address.
  6. Enter the remaining information for the certificate in the dialog box:
    • Organization: The name of the server's organization.
    • Organizational Unit: The name of the server's unit (department).
    • Locality (City): The city where the server is located.
    • State/Province: The state/province where the server is located.
    • 2 Letter Country Code: The country code where the server is located.
  7. Click OK to generate the CSR.
  8. Copy the section with the certificate request to include the following:

    -----BEGIN CERTIFICATE REQUEST-----

    ...Certificate Request Data...

    -----END CERTIFICATE REQUEST-----

  9. Paste it into a text file, and save the file with a .txt extension. Note the location of this file on your PC. Make sure there are no spaces, characters, or carriage returns added to the certificate.
  10. Send the certificate file to the CA to request a valid SSL certificate.
Important Notes:
  • Do not click OK in the Generate CSR screen after saving the certificate file and sending to the CA. Each time OK is clicked on the Generate CSR screen, a new CSR and private key are created, overwriting any previous private key. Consequently, if a certificate file has been submitted to the CA, and OK has been clicked since the original certificate was generated, the returned certificate will not match the current private key, and a new request will have to be issued and sent to the CA.
  • Not all certificate Authorities ask for the same information when requesting a certificate. For example, some CA's ask for a server type (Apache, etc) while others do not. FortiNAC requires a non-encrypted certificate in one of the following formats:

    • PEM
    • DER
    • PKCS#7
    • P7B

    This will allow the certificate to be applied to any of the desired components.

    If the certificate is in PEM format, opening the certificate in a text editor should look something like the following format:

    -----BEGIN CERTIFICATE1-----

    fjkghwjernlsfuigylerkjlkfjnu23jnlkjbliu5ghl6kh4

    fjkjlkfjnu23jnlkjbliu5ghl6khkghwjernlsfuigyler4

    ghwjernlsfuigylerkjlkfjnu23jnlkjbliu5fjkghl6kh4

    -----END CERTIFICTATE1-----

    -----BEGIN CERTIFICATE2----

    fjkghwjernlsfuigylerkjlkfjnu23jnlkjbliu5ghl6kh4

    fjkjlkfjnu23jnlkjbliu5ghl6khkghwjernlsfuigyler4

    ghwjernlsfuigylerkjlkfjnu23jnlkjbliu5fjkghl6kh4

    -----END CERTIFCATE2-----

    Certificate requests generated on FortiNAC use the SHA1 RSA encryption signature. However, certificates with SHA2 encryption can be requested using this CSR.

Upload the certificate

Upload the valid SSL certificate to the appliance when the certificate file is returned from the CA. Certificate files can be returned to you in one of several configurations. Depending upon the CA, one or multiple certificate files may be returned.

  1. Save the file(s) received from the CA to your PC.
  2. Select System > Certificate Management
  3. Click Upload Certificate.
  4. Select the certificate target to which the certificate will be applied.

  5. Do one of the following:
    • Select Use Private Key from Last Generated CSR to use the key from the most recent CSR for the selected target.
    • Select Reuse Private Key from Existing Certificate to use the private key for the certificate currently in use. This option is for renewing an existing installed certificate.
    • Select Upload Private Key to upload a key stored outside FortiNAC. Click Choose to find and upload the private key.
  6. Click Choose File to find and select the certificate to be uploaded. Users can also upload CA certificates and CA bundles.

    Upload any relevant intermediate certificate files needed for the creation of a complete certificate chain of authority. The CA should be able to provide these files. Without a complete certificate chain of authority, the target functionality may produce error/warning messages.

  7. Click Add Certificate if multiple certificates were returned. Use this to enter each additional certificate file.
  8. Click OK.

Copying a certificate to another target

If the certificate is intended to be used for multiple targets, copy the certificate to the new target:

  1. Highlight the target with the desired certificate installed.
  2. Click Copy Certificate.
  3. Select the new target from the drop-down menu.
  4. Click OK.

Activating Portal certificates (vF7.2.5 and lower)

Certificates for the and Portal (vF7.2.6 and above), Admin UI and Persistent Agent are activated automatically upon installation. No further action is required.

To begin using the certificate when connecting to the Portal, do the following:

  1. Navigate to Portal > Portal SSL
  2. In the SSL Mode field, select Valid SSL Certificate.
  3. Click Save Settings (this may take several minutes).

View the details and private key information for a certificate

Users can view the certificate details and private key information for the selected target.

  1. Click System > Certificate Management
  2. Click Details.