Fortinet white logo
Fortinet white logo

Administration Guide

Certificate Signing Requests

Certificate Signing Requests

Whether you create certificates locally or obtain them from an external certificate service, you need to generate a Certificate Signing Request (CSR).

When a CSR is generated, a private and public key pair is created for the FortiProxy unit. The generated request includes the public key of the device, and information such as the unit’s public static IP address, domain name, or email address. The device’s private key remains confidential on the unit.

After the request is submitted to a CA, the CA verifies the information and register the contact information on a digital certificate that contains a serial number, an expiration date, and the public key of the CA. The CA then signs the certificate, after which you can install the certificate on the FortiProxy device.

To generate a CSR:
  1. Go to System > Certificates and click Create/Import > Generate CSR. The Generate Certificate Signing Request page opens.

  2. Enter the following information:

    Certificate Name

    Enter a unique name for the certificate request, such as the host name or the serial number of the device.

    Do not include spaces in the certificate to ensure compatibility as a PKCS12 file.

    Subject Information

    Select the ID type:

    • Host IP: Select if the unit has a static IP address. Enter the device’s IP address in the IP field.

    • Domain Name: Enter the device’s domain name or FQDN in the Domain Name field.

    • E-mail: Enter the email address of the device’s administrator in the E-mail field.

    Optional Information

    Optional information to further identify the device.

    Organization Unit

    Enter the name of the department. Up to 5 OUs can be added.

    Organization

    Enter the legal name of the company or organization.

    Locality (City)

    Enter the name of the city where the unit is located.

    State/Province

    Enter the name of the state or province where the unit is located.

    Country/Region

    Enable and then enter the country where the unit is located. Select from the drop-down list.

    E-Mail

    Enter the contact email address.

    Subject Alternative Name

    Enter one or more alternative names, separated by commas, for which the certificate is also valid.

    An alternative name can be: email address, IP address, URI, DNS name, or a directory name.

    Each name must be preceded by its type, for example: IP:1/2/3/4, or URL: http://your.url.here/.

    Password for private key

    Enter a password for the private key.

    Key Type

    Select RSA or Elliptic Curve. The default is RSA.

    Key Size

    If you selected RSA for the Key Type, select the key size: 1024 Bit, 1536 Bit, 2048 Bit, or 4096 Bit. The default is 2048 Bit.

    Larger key sizes are more secure but slower to generate.

    Curve Name

    If you selected Elliptic Curve for the Key Type, select the curve name: secp256r1, secp384r1, or secp521r1.

    Enrollment Method

    Select the enrollment method. The default is File Based.

    • File Based: Generate the certificate request.

    • Online SCEP: Obtain a signed, Simple Certificate Enrollment Protocol (SCEP) based certificate automatically over the network. Enter the CA server URL and challenge password in their respective fields.

  3. Click OK to generate the CSR.

Certificate Signing Requests

Certificate Signing Requests

Whether you create certificates locally or obtain them from an external certificate service, you need to generate a Certificate Signing Request (CSR).

When a CSR is generated, a private and public key pair is created for the FortiProxy unit. The generated request includes the public key of the device, and information such as the unit’s public static IP address, domain name, or email address. The device’s private key remains confidential on the unit.

After the request is submitted to a CA, the CA verifies the information and register the contact information on a digital certificate that contains a serial number, an expiration date, and the public key of the CA. The CA then signs the certificate, after which you can install the certificate on the FortiProxy device.

To generate a CSR:
  1. Go to System > Certificates and click Create/Import > Generate CSR. The Generate Certificate Signing Request page opens.

  2. Enter the following information:

    Certificate Name

    Enter a unique name for the certificate request, such as the host name or the serial number of the device.

    Do not include spaces in the certificate to ensure compatibility as a PKCS12 file.

    Subject Information

    Select the ID type:

    • Host IP: Select if the unit has a static IP address. Enter the device’s IP address in the IP field.

    • Domain Name: Enter the device’s domain name or FQDN in the Domain Name field.

    • E-mail: Enter the email address of the device’s administrator in the E-mail field.

    Optional Information

    Optional information to further identify the device.

    Organization Unit

    Enter the name of the department. Up to 5 OUs can be added.

    Organization

    Enter the legal name of the company or organization.

    Locality (City)

    Enter the name of the city where the unit is located.

    State/Province

    Enter the name of the state or province where the unit is located.

    Country/Region

    Enable and then enter the country where the unit is located. Select from the drop-down list.

    E-Mail

    Enter the contact email address.

    Subject Alternative Name

    Enter one or more alternative names, separated by commas, for which the certificate is also valid.

    An alternative name can be: email address, IP address, URI, DNS name, or a directory name.

    Each name must be preceded by its type, for example: IP:1/2/3/4, or URL: http://your.url.here/.

    Password for private key

    Enter a password for the private key.

    Key Type

    Select RSA or Elliptic Curve. The default is RSA.

    Key Size

    If you selected RSA for the Key Type, select the key size: 1024 Bit, 1536 Bit, 2048 Bit, or 4096 Bit. The default is 2048 Bit.

    Larger key sizes are more secure but slower to generate.

    Curve Name

    If you selected Elliptic Curve for the Key Type, select the curve name: secp256r1, secp384r1, or secp521r1.

    Enrollment Method

    Select the enrollment method. The default is File Based.

    • File Based: Generate the certificate request.

    • Online SCEP: Obtain a signed, Simple Certificate Enrollment Protocol (SCEP) based certificate automatically over the network. Enter the CA server URL and challenge password in their respective fields.

  3. Click OK to generate the CSR.