Fortinet white logo
Fortinet white logo

Administration Guide

Server certificates

Server certificates

Certificate management provides users with the ability to manage certificates with different encoding schemes and file formats. The certificate management view shows the certificates that are currently installed on FortiNAC. Users can create and install server certificates for the admin UI.

High availability is not automatically supported at this time. To add certificates to a secondary appliance, you must fail over and configure certificates through the admin UI on that appliance.

Settings

Field

Definition

Add Filter

Allows you to select a field from the current view to filter information. Select the field from the drop-down list, and then enter the information you wish to filter. See Filters.

New Remote API Target

(v9.4.6 and greater)

Used for installing certificates for a custom alias (such as Microsoft InTune MDM).

Update

Displays the filtered data in the table.

Certificate Target

The component where the certificate is applied.

Alias

Indicates how the certificate is stored in the underlying Keystore.

Issued To

The server that received the certificate. Displays information entered when generating the CSR.

Issued By

The CA that issued the certificate.

Expiration

The date when the certificate expires and a new certificate is required.

Users can map events to alarms when the certificate will expire or has expired. See Map events to alarms.

Export

Exports the data displayed to a file in the default downloads location. File types include CSV, Excel, PDF, or RTF. See Export data.

Buttons

Generate CSR

Opens the Generate CSR window to enter the CSR details.

Upload Certificate

Opens the Upload Certificate window to find and select the key and certificate.

Details

Opens the details and private key information for the selected target.

Obtaining a certificate from a CA

If you do not already have a certificate, you must obtain a certificate from a Certificate Authority (CA). FortiNAC does not have the ability to issue certificates.

To obtain a valid third party SSL certificate from a CA, you must generate a CSR and send it to the CA.

  1. Go to System > Certificate Management
  2. Click Generate CSR.
  3. Select the certificate target to which the certificate will be applied.
    • Admin UI: Administration UI
    • Local RADIUS Server (EAP): For use when FortiNAC is acting as the 802.1x EAP termination point. For details see Local RADIUS Server.
    • Persistent Agent: Persistent Agent communications.
    • Portal: Captive portal and Dissolvable Agent communications.
    • RADIUS Endpoint Trust: Endpoint Trust Certificate used by FortiNAC to validate the client-side certificate when Local RADIUS Server is configured and EAP-TLS is used for authentication. For details see Local RADIUS Server.
  4. Enter the Common Name. This is the hostname to be secured by the certificate. If generating a wildcard CSR, enter the desired domain specifying the wildcard in the Common Name field (Example: *.example.com).
  5. Enter the Subject Alternative Names (leave blank if not requesting a SAN certificate). Click Add to enter each additional hostname and/or IP address.
  6. Enter the remaining information for the certificate in the dialog box:
    • Organization: The name of the server's organization.
    • Organizational Unit: The name of the server's unit (department).
    • Locality (City): The city where the server is located.
    • State/Province: The state/province where the server is located.
    • 2 Letter Country Code: The country code where the server is located.
  7. Click OK to generate the CSR.
  8. Copy the section with the certificate request to include the following:

    -----BEGIN CERTIFICATE REQUEST-----

    ...Certificate Request Data...

    -----END CERTIFICATE REQUEST-----

  9. Paste it into a text file, and save the file with a .txt extension. Note the location of this file on your PC. Make sure there are no spaces, characters, or carriage returns added to the certificate.
  10. Send the certificate file to the CA to request a valid SSL certificate.
Important Notes:
  • Do not click OK in the Generate CSR screen after saving the certificate file and sending to the CA. Each time OK is clicked on the Generate CSR screen, a new CSR and private key are created, overwriting any previous private key. Consequently, if a certificate file has been submitted to the CA, and OK has been clicked since the original certificate was generated, the returned certificate will not match the current private key, and a new request will have to be issued and sent to the CA.
  • Not all certificate Authorities ask for the same information when requesting a certificate. For example, some CA's ask for a server type (Apache, etc) while others do not. FortiNAC requires a non-encrypted certificate in one of the following formats:

    • PEM
    • DER
    • PKCS#7
    • P7B

    This will allow the certificate to be applied to any of the desired components.

    If the certificate is in PEM format, opening the certificate in a text editor should look something like the following format:

    -----BEGIN CERTIFICATE1-----

    fjkghwjernlsfuigylerkjlkfjnu23jnlkjbliu5ghl6kh4

    fjkjlkfjnu23jnlkjbliu5ghl6khkghwjernlsfuigyler4

    ghwjernlsfuigylerkjlkfjnu23jnlkjbliu5fjkghl6kh4

    -----END CERTIFICTATE1-----

    -----BEGIN CERTIFICATE2----

    fjkghwjernlsfuigylerkjlkfjnu23jnlkjbliu5ghl6kh4

    fjkjlkfjnu23jnlkjbliu5ghl6khkghwjernlsfuigyler4

    ghwjernlsfuigylerkjlkfjnu23jnlkjbliu5fjkghl6kh4

    -----END CERTIFCATE2-----

    Certificate requests generated on FortiNAC use the SHA1 RSA encryption signature. However, certificates with SHA2 encryption can be requested using this CSR.

Upload the certificate

Upload the valid SSL certificate to the appliance when the certificate file is returned from the CA. Certificate files can be returned to you in one of several configurations. Depending upon the CA, one or multiple certificate files may be returned.

  1. Save the file(s) received from the CA to your PC.
  2. Select System > Certificate Management
  3. Click Upload Certificate.
  4. Select the certificate target to which the certificate will be applied.
    • Admin UI: Administration UI
    • Local RADIUS Server (EAP): For use when FortiNAC is acting as the 802.1x EAP termination point. For details see Local RADIUS Server.
    • Persistent Agent: Persistent Agent communications.
    • Portal: Captive portal and Dissolvable Agent communications.
    • New Local RADIUS Server Target: Local RADIUS server. This type of target can be deleted by right clicking the target.
  5. Do one of the following:
    • Select Use Private Key from Last Generated CSR to use the key from the most recent CSR for the selected target.
    • Select Reuse Private Key from Existing Certificate to use the private key for the certificate currently in use. This option is for renewing an existing installed certificate.
    • Select Upload Private Key to upload a key stored outside FortiNAC. Click Choose to find and upload the private key.
  6. Click Choose File to find and select the certificate to be uploaded. Users can also upload CA certificates and CA bundles.

    Upload any relevant intermediate certificate files needed for the creation of a complete certificate chain of authority. The CA should be able to provide these files. Without a complete certificate chain of authority, the target functionality may produce error/warning messages.

  7. Click Add Certificate if multiple certificates were returned. Use this to enter each additional certificate file.
  8. Click OK.

Copying a certificate to another target

If the certificate is intended to be used for multiple targets, copy the certificate to the new target:

  1. Highlight the target with the desired certificate installed.
  2. Click Copy Certificate.
  3. Select the new target from the drop-down menu.
  4. Click OK.

Activating certificates

Certificates for the administrator Interface and Persistent Agent are activated automatically upon installation. No further action is required.

To begin using the certificate when connecting to the Portal, do the following:

  1. Navigate to Portal > Portal SSL
  2. In the SSL Mode field, select Valid SSL Certificate.
  3. Click Save Settings (this may take several minutes).

View the details and private key information for a certificate

Users can view the certificate details and private key information for the selected target.

  1. Click System > Certificate Management
  2. Click Details.

Server certificates

Server certificates

Certificate management provides users with the ability to manage certificates with different encoding schemes and file formats. The certificate management view shows the certificates that are currently installed on FortiNAC. Users can create and install server certificates for the admin UI.

High availability is not automatically supported at this time. To add certificates to a secondary appliance, you must fail over and configure certificates through the admin UI on that appliance.

Settings

Field

Definition

Add Filter

Allows you to select a field from the current view to filter information. Select the field from the drop-down list, and then enter the information you wish to filter. See Filters.

New Remote API Target

(v9.4.6 and greater)

Used for installing certificates for a custom alias (such as Microsoft InTune MDM).

Update

Displays the filtered data in the table.

Certificate Target

The component where the certificate is applied.

Alias

Indicates how the certificate is stored in the underlying Keystore.

Issued To

The server that received the certificate. Displays information entered when generating the CSR.

Issued By

The CA that issued the certificate.

Expiration

The date when the certificate expires and a new certificate is required.

Users can map events to alarms when the certificate will expire or has expired. See Map events to alarms.

Export

Exports the data displayed to a file in the default downloads location. File types include CSV, Excel, PDF, or RTF. See Export data.

Buttons

Generate CSR

Opens the Generate CSR window to enter the CSR details.

Upload Certificate

Opens the Upload Certificate window to find and select the key and certificate.

Details

Opens the details and private key information for the selected target.

Obtaining a certificate from a CA

If you do not already have a certificate, you must obtain a certificate from a Certificate Authority (CA). FortiNAC does not have the ability to issue certificates.

To obtain a valid third party SSL certificate from a CA, you must generate a CSR and send it to the CA.

  1. Go to System > Certificate Management
  2. Click Generate CSR.
  3. Select the certificate target to which the certificate will be applied.
    • Admin UI: Administration UI
    • Local RADIUS Server (EAP): For use when FortiNAC is acting as the 802.1x EAP termination point. For details see Local RADIUS Server.
    • Persistent Agent: Persistent Agent communications.
    • Portal: Captive portal and Dissolvable Agent communications.
    • RADIUS Endpoint Trust: Endpoint Trust Certificate used by FortiNAC to validate the client-side certificate when Local RADIUS Server is configured and EAP-TLS is used for authentication. For details see Local RADIUS Server.
  4. Enter the Common Name. This is the hostname to be secured by the certificate. If generating a wildcard CSR, enter the desired domain specifying the wildcard in the Common Name field (Example: *.example.com).
  5. Enter the Subject Alternative Names (leave blank if not requesting a SAN certificate). Click Add to enter each additional hostname and/or IP address.
  6. Enter the remaining information for the certificate in the dialog box:
    • Organization: The name of the server's organization.
    • Organizational Unit: The name of the server's unit (department).
    • Locality (City): The city where the server is located.
    • State/Province: The state/province where the server is located.
    • 2 Letter Country Code: The country code where the server is located.
  7. Click OK to generate the CSR.
  8. Copy the section with the certificate request to include the following:

    -----BEGIN CERTIFICATE REQUEST-----

    ...Certificate Request Data...

    -----END CERTIFICATE REQUEST-----

  9. Paste it into a text file, and save the file with a .txt extension. Note the location of this file on your PC. Make sure there are no spaces, characters, or carriage returns added to the certificate.
  10. Send the certificate file to the CA to request a valid SSL certificate.
Important Notes:
  • Do not click OK in the Generate CSR screen after saving the certificate file and sending to the CA. Each time OK is clicked on the Generate CSR screen, a new CSR and private key are created, overwriting any previous private key. Consequently, if a certificate file has been submitted to the CA, and OK has been clicked since the original certificate was generated, the returned certificate will not match the current private key, and a new request will have to be issued and sent to the CA.
  • Not all certificate Authorities ask for the same information when requesting a certificate. For example, some CA's ask for a server type (Apache, etc) while others do not. FortiNAC requires a non-encrypted certificate in one of the following formats:

    • PEM
    • DER
    • PKCS#7
    • P7B

    This will allow the certificate to be applied to any of the desired components.

    If the certificate is in PEM format, opening the certificate in a text editor should look something like the following format:

    -----BEGIN CERTIFICATE1-----

    fjkghwjernlsfuigylerkjlkfjnu23jnlkjbliu5ghl6kh4

    fjkjlkfjnu23jnlkjbliu5ghl6khkghwjernlsfuigyler4

    ghwjernlsfuigylerkjlkfjnu23jnlkjbliu5fjkghl6kh4

    -----END CERTIFICTATE1-----

    -----BEGIN CERTIFICATE2----

    fjkghwjernlsfuigylerkjlkfjnu23jnlkjbliu5ghl6kh4

    fjkjlkfjnu23jnlkjbliu5ghl6khkghwjernlsfuigyler4

    ghwjernlsfuigylerkjlkfjnu23jnlkjbliu5fjkghl6kh4

    -----END CERTIFCATE2-----

    Certificate requests generated on FortiNAC use the SHA1 RSA encryption signature. However, certificates with SHA2 encryption can be requested using this CSR.

Upload the certificate

Upload the valid SSL certificate to the appliance when the certificate file is returned from the CA. Certificate files can be returned to you in one of several configurations. Depending upon the CA, one or multiple certificate files may be returned.

  1. Save the file(s) received from the CA to your PC.
  2. Select System > Certificate Management
  3. Click Upload Certificate.
  4. Select the certificate target to which the certificate will be applied.
    • Admin UI: Administration UI
    • Local RADIUS Server (EAP): For use when FortiNAC is acting as the 802.1x EAP termination point. For details see Local RADIUS Server.
    • Persistent Agent: Persistent Agent communications.
    • Portal: Captive portal and Dissolvable Agent communications.
    • New Local RADIUS Server Target: Local RADIUS server. This type of target can be deleted by right clicking the target.
  5. Do one of the following:
    • Select Use Private Key from Last Generated CSR to use the key from the most recent CSR for the selected target.
    • Select Reuse Private Key from Existing Certificate to use the private key for the certificate currently in use. This option is for renewing an existing installed certificate.
    • Select Upload Private Key to upload a key stored outside FortiNAC. Click Choose to find and upload the private key.
  6. Click Choose File to find and select the certificate to be uploaded. Users can also upload CA certificates and CA bundles.

    Upload any relevant intermediate certificate files needed for the creation of a complete certificate chain of authority. The CA should be able to provide these files. Without a complete certificate chain of authority, the target functionality may produce error/warning messages.

  7. Click Add Certificate if multiple certificates were returned. Use this to enter each additional certificate file.
  8. Click OK.

Copying a certificate to another target

If the certificate is intended to be used for multiple targets, copy the certificate to the new target:

  1. Highlight the target with the desired certificate installed.
  2. Click Copy Certificate.
  3. Select the new target from the drop-down menu.
  4. Click OK.

Activating certificates

Certificates for the administrator Interface and Persistent Agent are activated automatically upon installation. No further action is required.

To begin using the certificate when connecting to the Portal, do the following:

  1. Navigate to Portal > Portal SSL
  2. In the SSL Mode field, select Valid SSL Certificate.
  3. Click Save Settings (this may take several minutes).

View the details and private key information for a certificate

Users can view the certificate details and private key information for the selected target.

  1. Click System > Certificate Management
  2. Click Details.