Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiProxy 7.0.0 Administration Guide
    7.0.0
    7.6.0
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.0
    7.0.19
    7.0.17
    7.0.0
    2.0.0
    1.2.0
    1.1.0
    1.0.0

    Certificate Signing Requests

    Certificate Signing Requests

    Whether you create certificates locally or obtain them from an external certificate service, you need to generate a Certificate Signing Request (CSR).

    When a CSR is generated, a private and public key pair is created for the FortiProxy unit. The generated request includes the public key of the device, and information such as the unit’s public static IP address, domain name, or email address. The device’s private key remains confidential on the unit.

    After the request is submitted to a CA, the CA verifies the information and register the contact information on a digital certificate that contains a serial number, an expiration date, and the public key of the CA. The CA then signs the certificate, after which you can install the certificate on the FortiProxy device.

    To generate a CSR:

    1. Go to System > Certificates and click Create/Import > Generate CSR. The Generate Certificate Signing Request page opens.

    2. Enter the following information:

      Certificate Name

      Enter a unique name for the certificate request, such as the host name or the serial number of the device.

      Do not include spaces in the certificate to ensure compatibility as a PKCS12 file.

      Subject Information

      Select the ID type:

      • Host IP: Select if the unit has a static IP address. Enter the device’s IP address in the IP field.

      • Domain Name: Enter the device’s domain name or FQDN in the Domain Name field.

      • E-mail: Enter the email address of the device’s administrator in the E-mail field.

      Optional Information

      Optional information to further identify the device.

      Organization Unit

      Enter the name of the department. Up to 5 OUs can be added.

      Organization

      Enter the legal name of the company or organization.

      Locality (City)

      Enter the name of the city where the unit is located.

      State/Province

      Enter the name of the state or province where the unit is located.

      Country/Region

      Enable and then enter the country where the unit is located. Select from the drop-down list.

      E-Mail

      Enter the contact email address.

      Subject Alternative Name

      Enter one or more alternative names, separated by commas, for which the certificate is also valid.

      An alternative name can be: email address, IP address, URI, DNS name, or a directory name.

      Each name must be preceded by its type, for example: IP:1/2/3/4, or URL: http://your.url.here/.

      Password for private key

      Enter a password for the private key.

      Key Type

      Select RSA or Elliptic Curve. The default is RSA.

      Key Size

      If you selected RSA for the Key Type, select the key size: 1024 Bit, 1536 Bit, 2048 Bit, or 4096 Bit. The default is 2048 Bit.

      Larger key sizes are more secure but slower to generate.

      Curve Name

      If you selected Elliptic Curve for the Key Type, select the curve name: secp256r1, secp384r1, or secp521r1.

      Enrollment Method

      Select the enrollment method. The default is File Based.

      • File Based: Generate the certificate request.

      • Online SCEP: Obtain a signed, Simple Certificate Enrollment Protocol (SCEP) based certificate automatically over the network. Enter the CA server URL and challenge password in their respective fields.

    3. Click OK to generate the CSR.

    Previous
    Next

    Certificate Signing Requests

    Certificate Signing Requests

    Whether you create certificates locally or obtain them from an external certificate service, you need to generate a Certificate Signing Request (CSR).

    When a CSR is generated, a private and public key pair is created for the FortiProxy unit. The generated request includes the public key of the device, and information such as the unit’s public static IP address, domain name, or email address. The device’s private key remains confidential on the unit.

    After the request is submitted to a CA, the CA verifies the information and register the contact information on a digital certificate that contains a serial number, an expiration date, and the public key of the CA. The CA then signs the certificate, after which you can install the certificate on the FortiProxy device.

    To generate a CSR:

    1. Go to System > Certificates and click Create/Import > Generate CSR. The Generate Certificate Signing Request page opens.

    2. Enter the following information:

      Certificate Name

      Enter a unique name for the certificate request, such as the host name or the serial number of the device.

      Do not include spaces in the certificate to ensure compatibility as a PKCS12 file.

      Subject Information

      Select the ID type:

      • Host IP: Select if the unit has a static IP address. Enter the device’s IP address in the IP field.

      • Domain Name: Enter the device’s domain name or FQDN in the Domain Name field.

      • E-mail: Enter the email address of the device’s administrator in the E-mail field.

      Optional Information

      Optional information to further identify the device.

      Organization Unit

      Enter the name of the department. Up to 5 OUs can be added.

      Organization

      Enter the legal name of the company or organization.

      Locality (City)

      Enter the name of the city where the unit is located.

      State/Province

      Enter the name of the state or province where the unit is located.

      Country/Region

      Enable and then enter the country where the unit is located. Select from the drop-down list.

      E-Mail

      Enter the contact email address.

      Subject Alternative Name

      Enter one or more alternative names, separated by commas, for which the certificate is also valid.

      An alternative name can be: email address, IP address, URI, DNS name, or a directory name.

      Each name must be preceded by its type, for example: IP:1/2/3/4, or URL: http://your.url.here/.

      Password for private key

      Enter a password for the private key.

      Key Type

      Select RSA or Elliptic Curve. The default is RSA.

      Key Size

      If you selected RSA for the Key Type, select the key size: 1024 Bit, 1536 Bit, 2048 Bit, or 4096 Bit. The default is 2048 Bit.

      Larger key sizes are more secure but slower to generate.

      Curve Name

      If you selected Elliptic Curve for the Key Type, select the curve name: secp256r1, secp384r1, or secp521r1.

      Enrollment Method

      Select the enrollment method. The default is File Based.

      • File Based: Generate the certificate request.

      • Online SCEP: Obtain a signed, Simple Certificate Enrollment Protocol (SCEP) based certificate automatically over the network. Enter the CA server URL and challenge password in their respective fields.

    3. Click OK to generate the CSR.

    Previous
    Next