Fortinet black logo

Administration Guide

Certificate management

Copy Link
Copy Doc ID 2cb222d1-3405-11ea-9384-00505692583a:966318
Download PDF

Certificate management

Certificate management provides users with the ability to manage certificates with different encoding schemes and file formats. The certificate management view shows the certificates that are currently installed on FortiNAC. Users can create and install server certificates for the admin UI.

High availability is not automatically supported at this time. To add certificates to a secondary appliance, you must fail over and configure certificates through the admin UI on that appliance.

Settings

Field

Definition

Add Filter

Allows you to select a field from the current view to filter information. Select the field from the drop-down list, and then enter the information you wish to filter. See Filters.

Update

Displays the filtered data in the table.

Certificate Target

The component where the certificate is applied.

Alias

Indicates how the certificate is stored in the underlying Keystore.

Issued To

The server that received the certificate. Displays information entered when generating the CSR.

Issued By

The CA that issued the certificate.

Expiration

The date when the certificate expires and a new certificate is required.

Users can map events to alarms when the certificate will expire or has expired. See Map events to alarms.

Export

Exports the data displayed to a file in the default downloads location. File types include CSV, Excel, PDF, or RTF. See Export data.

Buttons

Generate CSR

Opens the Generate CSR window to enter the CSR details.

Upload Certificate

Opens the Upload Certificate window to find and select the key and certificate.

Details

Opens the details and private key information for the selected target.

Obtaining a certificate from a CA

If you do not have a certificate, you must obtain a certificate from a CA.

To obtain a valid third party SSL certificate from a CA, you must generate a CSR and send it to the CA.

  1. Go to System > Settings.
  2. Expand the Security folder.
  3. Select Certificate Management from the tree.
  4. Click Generate CSR.
  5. Select the certificate target (the type of certificate you want to generate).

    • Select Admin UI to generate a CSR for the admin UI.
    • Select Persistent Agent to generate a CSR for the PA communications.
    • Select Portal to generate a CSR to secure the captive portal and DA communications.
    • Select RADIUS Server to generate a CSR for integrated FortiNAC RADIUS server set to use 802.1x and PEAP.
  6. Enter the Common Name. This is the hostname to be secured by the certificate. If generating a wildcard CSR, enter the desired domain specifying the wildcard in the Common Name field (Example: *.example.com).
  7. Enter the Subject Alternative Names (leave blank if not requesting a SAN certificate). Click Add to enter each additional hostname and/or IP address.
  8. Enter the remaining information for the certificate in the dialog box:

    • Organization: The name of the server's organization.
    • Organizational Unit: The name of the server's unit (department).
    • Locality (City): The city where the server is located.
    • State/Province: The state/province where the server is located.
    • 2 Letter Country Code: The country code where the server is located.
  9. Click OK to generate the CSR.

  10. Copy the section with the certificate request to include the following:

    -----BEGIN CERTIFICATE REQUEST-----

    ...Certificate Request Data...

    -----END CERTIFICATE REQUEST-----

  11. Paste it into a text file, and save the file with a .txt extension. Note the location of this file on your PC.

    Make sure there are no spaces, characters, or carriage returns added to the certificate.

  12. Send the certificate file to the CA to request a valid SSL certificate.
Important Notes:
  • Do not click OK in the Generate CSR screen after saving the certificate file and sending to the CA. Each time OK is clicked on the Generate CSR screen, a new CSR and private key are created, overwriting any previous private key. Consequently, if a certificate file has been submitted to the CA, and OK has been clicked since the original certificate was generated, the returned certificate will not match the current private key, and a new request will have to be issued and sent to the CA.
  • Not all certificate Authorities ask for the same information when requesting a certificate. For example, some CA's ask for a server type (Apache, etc) while others do not. FortiNAC requires a non-encrypted certificate in one of the following formats:

    • PEM
    • DER
    • PKCS#7
    • P7B

    This will allow the certificate to be applied to any of the desired components.

    If the certificate is in PEM format, opening the certificate in a text editor should look something like the following format:

    -----BEGIN CERTIFICATE1-----

    fjkghwjernlsfuigylerkjlkfjnu23jnlkjbliu5ghl6kh4

    fjkjlkfjnu23jnlkjbliu5ghl6khkghwjernlsfuigyler4

    ghwjernlsfuigylerkjlkfjnu23jnlkjbliu5fjkghl6kh4

    -----END CERTIFICTATE1-----

    -----BEGIN CERTIFICATE2----

    fjkghwjernlsfuigylerkjlkfjnu23jnlkjbliu5ghl6kh4

    fjkjlkfjnu23jnlkjbliu5ghl6khkghwjernlsfuigyler4

    ghwjernlsfuigylerkjlkfjnu23jnlkjbliu5fjkghl6kh4

    -----END CERTIFCATE2-----

    Certificate requests generated on FortiNAC use the SHA1 RSA encryption signature. However, certificates with SHA2 encryption can be requested using this CSR.

Upload the certificate

Upload the valid SSL certificate to the appliance when the certificate file is returned from the CA. Certificate files can be returned to you in one of several configurations. Depending upon the CA, one or multiple certificate files may be returned.

  1. Save the file(s) received from the CA to your PC.
  2. Select System > Settings.
  3. Expand the Security folder.
  4. Select Certificate Management from the tree.
  5. Click Upload Certificate.
  6. Select the target where the certificate will be uploaded:

    • Select Admin UI to install the certificate for the admin UI.
    • Select Persistent Agent to install certificate for the PA communications.
    • Select Portal to install the certificate to secure the captive portal.
  7. Do one of the following:

    • Select Use Private Key from Last Generated CSR to use the key from the most recent CSR for the selected target.
    • Select Reuse Private Key from Existing Certificate to use the private key for the certificate currently in use. This option is for renewing an existing installed certificate.
    • Select Upload Private Key to upload a key stored outside FortiNAC. Click Choose to find and upload the private key.
  8. Click Choose File to find and select the certificate to be uploaded. Users can also upload CA certificates and CA bundles.

    Upload any relevant intermediate certificate files needed for the creation of a complete certificate chain of authority. The CA should be able to provide these files. Without a complete certificate chain of authority, the target functionality may produce error/warning messages.

  9. Click Add Certificate if multiple certificates were returned. Use this to enter each additional certificate file.
  10. Click OK.

Copying a certificate to another target

If the certificate is intended to be used for multiple targets, copy the certificate to the new target:

  1. Highlight the target with the desired certificate installed.
  2. Click Copy Certificate.
  3. Select the new target from the drop-down menu.
  4. Click OK.

Activating certificates

Certificates for the administrator Interface and Persistent Agent are activated automatically upon installation. No further action is required.

To begin using the certificate when connecting to the Portal, do the following:

  1. Navigate to System > Settings.
  2. Expand the Security folder, and then click Portal SSL.
  3. In the SSL Mode field, select Valid SSL Certificate.
  4. Click Save Settings (this may take several minutes).

View the details and private key information for a certificate

Users can view the certificate details and private key information for the selected target.

  1. Click System > Settings.
  2. Expand the Security folder.
  3. Select Certificate Management from the tree.
  4. Click Details.

Certificate management

Certificate management provides users with the ability to manage certificates with different encoding schemes and file formats. The certificate management view shows the certificates that are currently installed on FortiNAC. Users can create and install server certificates for the admin UI.

High availability is not automatically supported at this time. To add certificates to a secondary appliance, you must fail over and configure certificates through the admin UI on that appliance.

Settings

Field

Definition

Add Filter

Allows you to select a field from the current view to filter information. Select the field from the drop-down list, and then enter the information you wish to filter. See Filters.

Update

Displays the filtered data in the table.

Certificate Target

The component where the certificate is applied.

Alias

Indicates how the certificate is stored in the underlying Keystore.

Issued To

The server that received the certificate. Displays information entered when generating the CSR.

Issued By

The CA that issued the certificate.

Expiration

The date when the certificate expires and a new certificate is required.

Users can map events to alarms when the certificate will expire or has expired. See Map events to alarms.

Export

Exports the data displayed to a file in the default downloads location. File types include CSV, Excel, PDF, or RTF. See Export data.

Buttons

Generate CSR

Opens the Generate CSR window to enter the CSR details.

Upload Certificate

Opens the Upload Certificate window to find and select the key and certificate.

Details

Opens the details and private key information for the selected target.

Obtaining a certificate from a CA

If you do not have a certificate, you must obtain a certificate from a CA.

To obtain a valid third party SSL certificate from a CA, you must generate a CSR and send it to the CA.

  1. Go to System > Settings.
  2. Expand the Security folder.
  3. Select Certificate Management from the tree.
  4. Click Generate CSR.
  5. Select the certificate target (the type of certificate you want to generate).

    • Select Admin UI to generate a CSR for the admin UI.
    • Select Persistent Agent to generate a CSR for the PA communications.
    • Select Portal to generate a CSR to secure the captive portal and DA communications.
    • Select RADIUS Server to generate a CSR for integrated FortiNAC RADIUS server set to use 802.1x and PEAP.
  6. Enter the Common Name. This is the hostname to be secured by the certificate. If generating a wildcard CSR, enter the desired domain specifying the wildcard in the Common Name field (Example: *.example.com).
  7. Enter the Subject Alternative Names (leave blank if not requesting a SAN certificate). Click Add to enter each additional hostname and/or IP address.
  8. Enter the remaining information for the certificate in the dialog box:

    • Organization: The name of the server's organization.
    • Organizational Unit: The name of the server's unit (department).
    • Locality (City): The city where the server is located.
    • State/Province: The state/province where the server is located.
    • 2 Letter Country Code: The country code where the server is located.
  9. Click OK to generate the CSR.

  10. Copy the section with the certificate request to include the following:

    -----BEGIN CERTIFICATE REQUEST-----

    ...Certificate Request Data...

    -----END CERTIFICATE REQUEST-----

  11. Paste it into a text file, and save the file with a .txt extension. Note the location of this file on your PC.

    Make sure there are no spaces, characters, or carriage returns added to the certificate.

  12. Send the certificate file to the CA to request a valid SSL certificate.
Important Notes:
  • Do not click OK in the Generate CSR screen after saving the certificate file and sending to the CA. Each time OK is clicked on the Generate CSR screen, a new CSR and private key are created, overwriting any previous private key. Consequently, if a certificate file has been submitted to the CA, and OK has been clicked since the original certificate was generated, the returned certificate will not match the current private key, and a new request will have to be issued and sent to the CA.
  • Not all certificate Authorities ask for the same information when requesting a certificate. For example, some CA's ask for a server type (Apache, etc) while others do not. FortiNAC requires a non-encrypted certificate in one of the following formats:

    • PEM
    • DER
    • PKCS#7
    • P7B

    This will allow the certificate to be applied to any of the desired components.

    If the certificate is in PEM format, opening the certificate in a text editor should look something like the following format:

    -----BEGIN CERTIFICATE1-----

    fjkghwjernlsfuigylerkjlkfjnu23jnlkjbliu5ghl6kh4

    fjkjlkfjnu23jnlkjbliu5ghl6khkghwjernlsfuigyler4

    ghwjernlsfuigylerkjlkfjnu23jnlkjbliu5fjkghl6kh4

    -----END CERTIFICTATE1-----

    -----BEGIN CERTIFICATE2----

    fjkghwjernlsfuigylerkjlkfjnu23jnlkjbliu5ghl6kh4

    fjkjlkfjnu23jnlkjbliu5ghl6khkghwjernlsfuigyler4

    ghwjernlsfuigylerkjlkfjnu23jnlkjbliu5fjkghl6kh4

    -----END CERTIFCATE2-----

    Certificate requests generated on FortiNAC use the SHA1 RSA encryption signature. However, certificates with SHA2 encryption can be requested using this CSR.

Upload the certificate

Upload the valid SSL certificate to the appliance when the certificate file is returned from the CA. Certificate files can be returned to you in one of several configurations. Depending upon the CA, one or multiple certificate files may be returned.

  1. Save the file(s) received from the CA to your PC.
  2. Select System > Settings.
  3. Expand the Security folder.
  4. Select Certificate Management from the tree.
  5. Click Upload Certificate.
  6. Select the target where the certificate will be uploaded:

    • Select Admin UI to install the certificate for the admin UI.
    • Select Persistent Agent to install certificate for the PA communications.
    • Select Portal to install the certificate to secure the captive portal.
  7. Do one of the following:

    • Select Use Private Key from Last Generated CSR to use the key from the most recent CSR for the selected target.
    • Select Reuse Private Key from Existing Certificate to use the private key for the certificate currently in use. This option is for renewing an existing installed certificate.
    • Select Upload Private Key to upload a key stored outside FortiNAC. Click Choose to find and upload the private key.
  8. Click Choose File to find and select the certificate to be uploaded. Users can also upload CA certificates and CA bundles.

    Upload any relevant intermediate certificate files needed for the creation of a complete certificate chain of authority. The CA should be able to provide these files. Without a complete certificate chain of authority, the target functionality may produce error/warning messages.

  9. Click Add Certificate if multiple certificates were returned. Use this to enter each additional certificate file.
  10. Click OK.

Copying a certificate to another target

If the certificate is intended to be used for multiple targets, copy the certificate to the new target:

  1. Highlight the target with the desired certificate installed.
  2. Click Copy Certificate.
  3. Select the new target from the drop-down menu.
  4. Click OK.

Activating certificates

Certificates for the administrator Interface and Persistent Agent are activated automatically upon installation. No further action is required.

To begin using the certificate when connecting to the Portal, do the following:

  1. Navigate to System > Settings.
  2. Expand the Security folder, and then click Portal SSL.
  3. In the SSL Mode field, select Valid SSL Certificate.
  4. Click Save Settings (this may take several minutes).

View the details and private key information for a certificate

Users can view the certificate details and private key information for the selected target.

  1. Click System > Settings.
  2. Expand the Security folder.
  3. Select Certificate Management from the tree.
  4. Click Details.