Fortinet black logo

Administration Guide

Working with Certificates

Copy Link
Copy Doc ID f41cea3c-ee48-11eb-97f7-00505692583a:962456

Working with Certificates

When a FortiRecorder appliance initiates or receives an SSL or TLS connection, it will use certificates. Certificates can be used in secure connections for encryption and authentication.

Tooltip

FortiRecorder may require you to upload certificates and CRLs even if you do not use HTTPS.

For example, when sending alert email via SMTPS, or querying an authentication server via LDAPS, FortiRecorder will validate the server’s certificate by comparing the server certificate’s CA signature with the certificates of CAs that are known and trusted by the FortiRecorder appliance. See “Uploading trusted CAs’ certificates” and “Revoking certificates”.

Supported cipher suites & protocol versions

How secure is an HTTPS connection?

A secure connection’s protocol version and cipher suite, including encryption bit strength and encryption algorithms, is negotiated between the client and the SSL terminator during the handshake. (When you connect to the web UI via HTTPS, your FortiRecorder appliance is the SSL terminator.) CS: Support may vary when acting as a client to the cameras, if HTTPS streams are ever supported. Because security settings must agree, the result depends both on the appliance and your web browser.

FortiRecorder supports:

SSL 2.0

  • RC4-MD5 — 40-bit & 128-bit


SSL 3.0

  • AES-SHA — 256-bit & 128-bit
  • CAMELLIA-SHA — 128-bit & 256-bit
  • DES-CBC3-SHA — 168-bit
  • DES-CBC-SHA — 40-bit & 56-bit
  • DHE-RSA-AES-SHA — 256-bit & 128-bit
  • DHE-RSA-CAMELLIA-SHA — 256-bit & 128-bit
  • DHE-RSA-SEED-SHA — 128-bit
  • EDH-RSA-DES-CBC3-SHA — 168-bit
  • EDH-RSA-DES-CBC-SHA — 40-bit & 56-bit
  • RC4-SHA — 128-bit
  • RC4-MD5 — 40-bit & 128-bit
  • SEED-SHA — 128-bit

TLS 1.0

  • AES-SHA — 256-bit & 128-bit
  • CAMELLIA-SHA — 128-bit & 256-bit
  • DES-CBC3-SHA — 168-bit
  • DES-CBC-SHA — 40-bit & 56-bit
  • DHE-RSA-AES-SHA — 256-bit & 128-bit
  • DHE-RSA-CAMELLIA-SHA — 256-bit & 128-bit
  • DHE-RSA-SEED-SHA — 128-bit
  • EDH-RSA-DES-CBC3-SHA — 168-bit
  • EDH-RSA-DES-CBC-SHA — 40-bit & 56-bit
  • RC4-SHA — 128-bit
  • RC4-MD5 — 40-bit & 128-bit
  • SEED-SHA — 128-bit

AES-256 or ECC, and SHA-1 are preferable. Generally speaking, for security reasons, avoid using:

  • SSL 2.0
  • TLS 1.0
  • Older hash algorithms, such as MD5. (On modern computers, these can be cracked quickly.)
  • Ciphers with known vulnerabilities, such as some implementations of RC4, AES and DES (e.g. To protect clients with incorrect CBC implementations for AES and DES, prioritize RC4.)
  • Encryption bit strengths less than 128
  • Older styles of re-negotiation (These are vulnerable to man-in-the-middle (MITM) attacks.)

Client-initiated re-negotiation

Replacing the default certificate for the web UI

For HTTPS connections with the web UI, FortiRecorder has its own X.509 server certificate. By default, the FortiRecorder appliance presents the “Factory” certificate, which can be used to encrypt the connection, but whose authenticity cannot be guaranteed and therefore may not be trusted by your web browser. This will cause your web browser to display a security alert, indicating that the connection may have been intercepted.

To prevent this false alarm, you can go to System > Certificate > Local Certificate to replace the certificate with one that is signed by your own CA so that it will be trusted. Thereafter, a security alert will only occur if:

  • the certificate expires
  • your CA revokes the certificate
  • the connection has been compromised by a man-in-the-middle attack

If you have not yet requested a certificate from your CA, and if it requires one, you must first generate a certificate signing request (see “Generating a certificate signing request”). Otherwise, start with “Uploading & selecting to use a certificate”.

The following is an overview of the certificate interface section:

Setting Name

Description

View

Select to view the selected certificate’s issuer, subject, and range of dates within which the certificate is valid CS: version number, serial number, and extensions.

Delete

Select to delete the selected certificate.

Generate

Select to generate a certificate signing request. For details, see “Generating a certificate signing request”.

Download

Select to download the selected certificate’s entry in certificate (.cer), PKCS #12 (.p12), or certificate signing request (.csr) file format. PKCS #12 is recommended if you require a certificate backup that includes the private key.

Certificate backups can also be made by downloading a configuration file backup, which includes all certificates and keys.

Set status

To configure your FortiRecorder appliance to use a certificate, click its row to select it, then click this button. A confirmation dialog will appear, asking if you want to use it as the “default” (currently in use) certificate. Click OK. The Status column will change to reflect the new status.

Import

Select to upload a certificate. For details, see “Uploading & selecting to use a certificate”.

Name

Displays the name of the certificate according to the appliance’s configuration file. This will not be visible to clients.

Subject

Displays the distinguished name (DN) located in the Subject: field of the certificate.

If the row contains a certificate request which has not yet been signed, this field is empty.

Status

Displays the status of the certificate.

  • Default — Indicates that this certificate will be used whenever a client attempts to connect to the appliance. Only one certificate can be in use at any given time.
  • OK — Indicates that the certificate was successfully imported. To use the certificate, select it, then use Set status to change its status.
  • Pending — Indicates that the certificate request (CSR) has been generated, but must be downloaded, signed, and imported before it can be used as a server certificate.

Generating a certificate signing request

Many commercial certificate authorities (CAs) will provide a web site where you can generate your own certificate signing request (CSR). A CSR is an unsigned certificate file that the CA will sign. When the CSR is generated, the associated private key that the appliance will use to sign and/or encrypt connections with clients is also generated.

If your CA does not provide this, or if you have your own private CA such as a Linux server with OpenSSL, you can use the appliance generate a CSR and private key. This CSR can then be submitted for verification and signing by the CA.

To generate a certificate request

  1. Go to System > Certificate > Local Certificate.
  2. Select Generate.
  3. Configure the certificate signing request:
  4. Setting Name

    Description

    Certification name

    Enter a unique name for the certificate request, such as fortirecorder.example.com. This can be the name of your appliance.

    Subject Information: ID Type

    Select the type of identifier to use in the certificate to identify the FortiRecorder appliance:

    • Host IP — Select if the FortiRecorder appliance has a static IP address and enter the public IP address of the FortiRecorder appliance in the IP field. If the FortiRecorder appliance does not have a public IP address, use E-Mail or Domain Name instead.
    • Domain Name — Select if the FortiRecorder appliance has a static IP address and subscribes to a dynamic DNS service. Enter the FQDN of the FortiRecorder appliance, such as fortirecorder.example.com, in the Domain Name field. Do not include the protocol specification (http://) or any port number or path names.
    • E-Mail — Select and enter the email address of the owner of the FortiRecorder appliance in the E-mail field. Use this if the appliance does not require either a static IP address or a domain name.

    The type you should select varies by whether or not your FortiRecorder appliance has a static IP address, a fully-qualified domain name (FQDN), and by the primary intended use of the certificate.

    For example, if your FortiRecorder appliance has both a static IP address and a domain name, but you will primarily use the local certificate for HTTPS connections to the web UI by the domain name of the FortiRecorder appliance, you might prefer to generate a certificate based upon the domain name of the FortiRecorder appliance, rather than its IP address.

    Subject Information: IP

    Type the static IP address of the FortiRecorder appliance, such as 10.0.0.1.

    The IP address should be the one that is visible to clients. Usually, this should be its public IP address on the Internet, or a virtual IP that you use NAT to map to the appliance’s IP address on your private network.

    This option appears only if ID Type is Host IP.

    Subject Information: Domain Name

    Type the fully qualified domain name (FQDN) of the FortiRecorder appliance, such as www.example.com.

    The domain name must resolve to the static IP address of the FortiRecorder appliance or protected server. For more information, see “FortiRecorder configuration”.

    This option appears only if ID Type is Domain Name.

    Subject Information: E-mail

    Type the email address of the owner of the FortiRecorder appliance, such as admin@example.com.

    This option appears only if ID Type is E-Mail.

    Key type

    Displays the type of algorithm used to generate the key.

    This option cannot be changed, but appears in order to indicate that only RSA is currently supported.

    Key size

    Select a secure key size of 512 Bit, 1024 Bit, 1536 Bit or 2048 Bit. Larger keys are slower to generate, but provide better security.

    Optional Information: Organization unit

    Optional. Type the name of your organizational unit (OU), such as the name of your department.

    To enter more than one OU name, click the + icon, and enter each OU separately in each field.

    Optional Information: Organization

    Optional. Type the legal name of your organization.

    Optional Information: Locality (City)

    Optional. Type the name of the city or town where the FortiRecorder appliance is located.

    Optional Information: State/Province

    Optional. Type the name of the state or province where the FortiRecorder appliance is located.

    Optional Information: Country/Region

    Optional. Select the name of the country where the FortiRecorder appliance is located.

    Optional Information: E-mail

    Optional. Type an email address that may be used for contact purposes, such as admin@example.com.

  5. Select OK.

    The FortiRecorder appliance creates a private and public key pair. The generated request includes the public key of the FortiRecorder appliance and information such as the FortiRecorder appliance’s IP address, domain name, or email address. The FortiRecorder appliance’s private key remains confidential on the FortiRecorder appliance. The Status column of the entry is Pending.
  6. Click to select the row that corresponds to the certificate request.
  7. Select Download.

    Standard dialogs appear with buttons to save the file at a location you select. Your web browser downloads the certificate request (.csr) file. Time required varies by the size of the file and the speed of your network connection.
  8. Upload the certificate request to your CA

    After you submit the request to a CA, the CA will verify the information in the certificate, give it a serial number, an expiration date, and sign it with the public key of the CA.
  9. If you are not using a commercial CA whose root certificate is already installed by default on web browsers, download your CA’s root certificate, then install it on all computers that will be connecting to your appliance. (If you do not install these, those computers may not trust your new certificate.)
  10. When you receive the signed certificate from the CA, upload the certificate to the FortiRecorder appliance (see “Uploading & selecting to use a certificate”).

Uploading & selecting to use a certificate

You can import (upload) either:

  • Base64-encoded
  • PKCS #12 RSA-encrypted

X.509 server certificates and private keys to the FortiRecorder appliance. The format of the certificate file that you have, and whether or not it includes the private key, may vary.

DSA-encrypted certificates are not supported if the FortiRecorder appliance is operating in a mode other than reverse proxy. See “Supported features per operation mode” on page 66.

If a server certificate is signed by an intermediate certificate authority (CA) rather than a root CA, before clients will trust the server certificate, you must demonstrate a link with root CAs that the clients trust, thereby proving that the server certificate is genuine. You can demonstrate this chain of trust either by:

  • Appending a signing chain in the server certificate.
  • Installing each intermediary CA’s certificate in clients’ trust store (list of trusted CAs).

Which method is best for you often depends on whether you have a convenient method for deploying CA certificates to clients, such as you may be able to for clients in an internal Microsoft Active Directory domain, and whether you often refresh the server certificate.

To append a signing chain in the certificate itself, before uploading the server certificate to the FortiRecorder appliance

  1. Open the certificate file in a plain text editor.
  2. Append the certificate of each intermediary CA in order from the intermediary CA who signed the local certificate to the intermediary CA whose certificate was signed directly by a trusted root CA.

    For example, an appliance’s certificate that includes a signing chain might use the following structure:
    -----BEGIN CERTIFICATE-----
    <server certificate>

    -----END CERTIFICATE-----

    -----BEGIN CERTIFICATE-----

    <certificate of intermediate CA 1, who signed the server certificate>

    -----END CERTIFICATE-----

    -----BEGIN CERTIFICATE-----

    <certificate of intermediate CA 2, who signed the certificate of intermediate CA 1 and whose certificate was signed by a trusted root CA>

    -----END CERTIFICATE-----

  3. Save the certificate.

To upload a certificate

  1. Go to System > Certificate > Local Certificate.
  2. Select Import and the desired certificate
  3. Configure the following settings:
  4. Type

    Select the type of certificate file to upload, either:

    • Local Certificate — An unencrypted certificate in PEM format.
    • Certificate — An unencrypted certificate in PEM format. The private key is in a separate file.
    • PKCS12 Certificate — A PKCS #12 encrypted certificate with private key.

    Other available settings vary depending on this selection.

    Certificate file

    Select Browse to locate the certificate file that you want to upload.

    This option is available only if Type is Certificate or Local Certificate.

    Key file

    Select Browse to locate the private key file that you want to upload with the certificate.

    This option is available only if Type is Certificate.

    Certificate with key file

    Select Browse to locate the PKCS #12 certificate-with-key file that you want to upload.

    This option is available only if Type is PKCS12 Certificate.

    Password

    Type the password that was used to encrypt the file, enabling the FortiRecorder appliance to decrypt and install the certificate.

    This option is available only if Type is Certificate or PKCS12 Certificate.

  5. Select OK.
  6. To use a certificate, click its row to select it, then select Set status to put it in force.
  7. If your web browser does not yet have your CA’s certificate installed, download it and add it to your web browser’s trust store so that it will be able to validate the appliance’s certificate (see “Uploading trusted CAs’ certificates”).

Uploading trusted CAs’ certificates

In order to authenticate other devices’ certificates, FortiRecorder has a store of trusted CAs’ certificates. Until you upload at least one CA certificate, FortiRecorder does not know and trust any CAs, it cannot validate any other client or device’s certificate, and all of those secure connections will fail.

Tooltip

FortiRecorder may require you to upload certificates and CRLs even if you do not use HTTPS. For example, when sending alert email via SMTPS, or querying an authentication server via LDAPS, FortiRecorder will validate the server’s certificate by comparing the server certificate’s CA signature with the certificates of CAs that are known and trusted by the FortiRecorder appliance.

Certificate authorities (CAs) validate and sign others’ certificates. When FortiRecorder needs to know whether a client or device’s certificate is genuine, it will examine the CA’s signature, comparing it with the copy of the CA’s certificate that you have uploaded in order to determine if they were both made using the same private key. If they were, the CA’s signature is genuine, and therefore the client or device’s certificate is legitimate.

If the signing CA is not known, that CA’s own certificate must likewise be signed by one or more other intermediary CAs, until both the FortiRecorder appliance and the client or device can demonstrate a signing chain that ultimately leads to a mutually trusted (shared “root”) CA that they have in common. Like a direct signature by a known CA, this proves that the certificate can be trusted. For more information on how to include a signing chain, see “Uploading & selecting to use a certificate”.

To upload a CA’s certificate

  1. Obtain a copy of your CA’s certificate file.

    If you are using a commercial CA, your web browser should already contain a copy in its CA trust store. Export a copy of the file to your desktop or other folder. If you are using your own private CA, download a copy from your CA’s server

    Caution

    Verify that your private CA’s certificate does not contain its private keys. Disclosure of private keys compromises the security of your network, and will require you to revoke and regenerate all certificates signed by that CA.

  2. Go to System > Certificate > CA Certificate.
    To view the selected certificate’s issuer, subject, and range of dates within which the certificate is valid,CS: Version number, serial number, and extensions? click a certificate’s row to select it, then click View.
  3. Select Import.
  4. In Certificate name, type a name for the certificate that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters.
  5. Next to Certificate file, select the Browse button and select your CA’s certificate file.
  6. Select OK. Time required to upload the file varies by the size of the file and the speed of your network connection.
  7. To test your configuration, cause your appliance to initiate a secure connection to an LDAPS server (see “To configure an LDAP query” and “To configure an account”).

    If the query fails, verify that your CA is the same one that signed the LDAP server’s certificate, and that its certificate’s extensions indicate that the certificate can be used to sign other certificates. Verify that both the appliance and LDAP server support the same cipher suites and SSL/TLS protocols. Also verify that your routers and firewalls are configured to allow the connection.

Example: Downloading the CA’s certificate from Microsoft Windows 2003 Server

If you are generated and signed your LDAP server’s certificate using Microsoft Certificate Services on Microsoft Windows 2003 or 2008 Server, you must download the CA’s certificate and provide it to the FortiRecorder appliance so that it will be able to verify the CA signature on the certificate.

To download a CA certificate from Microsoft Windows 2003 Server

  1. On your management computer, start your web browser.
  2. Go to:
    https://<ca-server_ipv4>/certsrv/
    where <ca-server_ipv4> is the IP address of your CA server.
  3. Log in as Administrator, since other accounts may not have sufficient privileges. The Microsoft Certificate Services home page for your server’s CA should appear:

  4. Select the Download CA certificate, certificate chain, or CRL link. The Download a CA Certificate, Certificate Chain, or CRL page appears:

  5. Select Base64 from Encoding Method.
  6. Select Download CA certificate.
  7. Select a location to save the CA's certificate file if prompted by your browser.

Revoking certificates

To ensure that your FortiRecorder appliance validates only certificates that have not been revoked, you should periodically upload a current certificate revocation list (CRL), which may be provided by certificate authorities (CA).

Note

Alternatively, you can use HTTP or online certificate status protocol (OCSP) to query for certificate status. For more information, see “Revoking certificates by OCSP query”.

To upload a CRL file

  1. Go to System > Certificate > Certificate Revocation List.
  2. Select Import.
  3. In Certificate name, type the name of the certificate as it will be referred to in the appliance’s configuration file.
  4. Next to Certificate file, click Browse, then select the certificate file.
  5. Select OK.

    The certificate is uploaded to the appliance. TIme required varies by the size of the file and the speed of the network connection, but is typically only a few seconds.

Revoking certificates by OCSP query

Online certificate status protocol (OCSP) enables you to revoke or validate certificates by query, rather than by importing certificate revocation list (CRL) files. Since distributing and installing CRL files can be a considerable burden in large organizations, and because delay between the release and install of the CRL represents a vulnerability window, this can often be preferable.

To use OCSP queries, you must first install the certificates of trusted OCSP/CRL servers.

To view or upload a remote certificate

  1. From your OCSP/CRL server, download its server certificate.
  2. Go to System > Certificate > Remote.
  3. Select Import.
  4. In Certificate name, type the name of the certificate as it will be referred to in the appliance’s configuration file.
  5. Next to Certificate file, click Browse, then select the certificate file.
  6. Select OK.

    The certificate is uploaded to the appliance. Time required varies by the size of the file and the speed of the network connection, but is typically only a few seconds.

Working with Certificates

When a FortiRecorder appliance initiates or receives an SSL or TLS connection, it will use certificates. Certificates can be used in secure connections for encryption and authentication.

Tooltip

FortiRecorder may require you to upload certificates and CRLs even if you do not use HTTPS.

For example, when sending alert email via SMTPS, or querying an authentication server via LDAPS, FortiRecorder will validate the server’s certificate by comparing the server certificate’s CA signature with the certificates of CAs that are known and trusted by the FortiRecorder appliance. See “Uploading trusted CAs’ certificates” and “Revoking certificates”.

Supported cipher suites & protocol versions

How secure is an HTTPS connection?

A secure connection’s protocol version and cipher suite, including encryption bit strength and encryption algorithms, is negotiated between the client and the SSL terminator during the handshake. (When you connect to the web UI via HTTPS, your FortiRecorder appliance is the SSL terminator.) CS: Support may vary when acting as a client to the cameras, if HTTPS streams are ever supported. Because security settings must agree, the result depends both on the appliance and your web browser.

FortiRecorder supports:

SSL 2.0

  • RC4-MD5 — 40-bit & 128-bit


SSL 3.0

  • AES-SHA — 256-bit & 128-bit
  • CAMELLIA-SHA — 128-bit & 256-bit
  • DES-CBC3-SHA — 168-bit
  • DES-CBC-SHA — 40-bit & 56-bit
  • DHE-RSA-AES-SHA — 256-bit & 128-bit
  • DHE-RSA-CAMELLIA-SHA — 256-bit & 128-bit
  • DHE-RSA-SEED-SHA — 128-bit
  • EDH-RSA-DES-CBC3-SHA — 168-bit
  • EDH-RSA-DES-CBC-SHA — 40-bit & 56-bit
  • RC4-SHA — 128-bit
  • RC4-MD5 — 40-bit & 128-bit
  • SEED-SHA — 128-bit

TLS 1.0

  • AES-SHA — 256-bit & 128-bit
  • CAMELLIA-SHA — 128-bit & 256-bit
  • DES-CBC3-SHA — 168-bit
  • DES-CBC-SHA — 40-bit & 56-bit
  • DHE-RSA-AES-SHA — 256-bit & 128-bit
  • DHE-RSA-CAMELLIA-SHA — 256-bit & 128-bit
  • DHE-RSA-SEED-SHA — 128-bit
  • EDH-RSA-DES-CBC3-SHA — 168-bit
  • EDH-RSA-DES-CBC-SHA — 40-bit & 56-bit
  • RC4-SHA — 128-bit
  • RC4-MD5 — 40-bit & 128-bit
  • SEED-SHA — 128-bit

AES-256 or ECC, and SHA-1 are preferable. Generally speaking, for security reasons, avoid using:

  • SSL 2.0
  • TLS 1.0
  • Older hash algorithms, such as MD5. (On modern computers, these can be cracked quickly.)
  • Ciphers with known vulnerabilities, such as some implementations of RC4, AES and DES (e.g. To protect clients with incorrect CBC implementations for AES and DES, prioritize RC4.)
  • Encryption bit strengths less than 128
  • Older styles of re-negotiation (These are vulnerable to man-in-the-middle (MITM) attacks.)

Client-initiated re-negotiation

Replacing the default certificate for the web UI

For HTTPS connections with the web UI, FortiRecorder has its own X.509 server certificate. By default, the FortiRecorder appliance presents the “Factory” certificate, which can be used to encrypt the connection, but whose authenticity cannot be guaranteed and therefore may not be trusted by your web browser. This will cause your web browser to display a security alert, indicating that the connection may have been intercepted.

To prevent this false alarm, you can go to System > Certificate > Local Certificate to replace the certificate with one that is signed by your own CA so that it will be trusted. Thereafter, a security alert will only occur if:

  • the certificate expires
  • your CA revokes the certificate
  • the connection has been compromised by a man-in-the-middle attack

If you have not yet requested a certificate from your CA, and if it requires one, you must first generate a certificate signing request (see “Generating a certificate signing request”). Otherwise, start with “Uploading & selecting to use a certificate”.

The following is an overview of the certificate interface section:

Setting Name

Description

View

Select to view the selected certificate’s issuer, subject, and range of dates within which the certificate is valid CS: version number, serial number, and extensions.

Delete

Select to delete the selected certificate.

Generate

Select to generate a certificate signing request. For details, see “Generating a certificate signing request”.

Download

Select to download the selected certificate’s entry in certificate (.cer), PKCS #12 (.p12), or certificate signing request (.csr) file format. PKCS #12 is recommended if you require a certificate backup that includes the private key.

Certificate backups can also be made by downloading a configuration file backup, which includes all certificates and keys.

Set status

To configure your FortiRecorder appliance to use a certificate, click its row to select it, then click this button. A confirmation dialog will appear, asking if you want to use it as the “default” (currently in use) certificate. Click OK. The Status column will change to reflect the new status.

Import

Select to upload a certificate. For details, see “Uploading & selecting to use a certificate”.

Name

Displays the name of the certificate according to the appliance’s configuration file. This will not be visible to clients.

Subject

Displays the distinguished name (DN) located in the Subject: field of the certificate.

If the row contains a certificate request which has not yet been signed, this field is empty.

Status

Displays the status of the certificate.

  • Default — Indicates that this certificate will be used whenever a client attempts to connect to the appliance. Only one certificate can be in use at any given time.
  • OK — Indicates that the certificate was successfully imported. To use the certificate, select it, then use Set status to change its status.
  • Pending — Indicates that the certificate request (CSR) has been generated, but must be downloaded, signed, and imported before it can be used as a server certificate.

Generating a certificate signing request

Many commercial certificate authorities (CAs) will provide a web site where you can generate your own certificate signing request (CSR). A CSR is an unsigned certificate file that the CA will sign. When the CSR is generated, the associated private key that the appliance will use to sign and/or encrypt connections with clients is also generated.

If your CA does not provide this, or if you have your own private CA such as a Linux server with OpenSSL, you can use the appliance generate a CSR and private key. This CSR can then be submitted for verification and signing by the CA.

To generate a certificate request

  1. Go to System > Certificate > Local Certificate.
  2. Select Generate.
  3. Configure the certificate signing request:
  4. Setting Name

    Description

    Certification name

    Enter a unique name for the certificate request, such as fortirecorder.example.com. This can be the name of your appliance.

    Subject Information: ID Type

    Select the type of identifier to use in the certificate to identify the FortiRecorder appliance:

    • Host IP — Select if the FortiRecorder appliance has a static IP address and enter the public IP address of the FortiRecorder appliance in the IP field. If the FortiRecorder appliance does not have a public IP address, use E-Mail or Domain Name instead.
    • Domain Name — Select if the FortiRecorder appliance has a static IP address and subscribes to a dynamic DNS service. Enter the FQDN of the FortiRecorder appliance, such as fortirecorder.example.com, in the Domain Name field. Do not include the protocol specification (http://) or any port number or path names.
    • E-Mail — Select and enter the email address of the owner of the FortiRecorder appliance in the E-mail field. Use this if the appliance does not require either a static IP address or a domain name.

    The type you should select varies by whether or not your FortiRecorder appliance has a static IP address, a fully-qualified domain name (FQDN), and by the primary intended use of the certificate.

    For example, if your FortiRecorder appliance has both a static IP address and a domain name, but you will primarily use the local certificate for HTTPS connections to the web UI by the domain name of the FortiRecorder appliance, you might prefer to generate a certificate based upon the domain name of the FortiRecorder appliance, rather than its IP address.

    Subject Information: IP

    Type the static IP address of the FortiRecorder appliance, such as 10.0.0.1.

    The IP address should be the one that is visible to clients. Usually, this should be its public IP address on the Internet, or a virtual IP that you use NAT to map to the appliance’s IP address on your private network.

    This option appears only if ID Type is Host IP.

    Subject Information: Domain Name

    Type the fully qualified domain name (FQDN) of the FortiRecorder appliance, such as www.example.com.

    The domain name must resolve to the static IP address of the FortiRecorder appliance or protected server. For more information, see “FortiRecorder configuration”.

    This option appears only if ID Type is Domain Name.

    Subject Information: E-mail

    Type the email address of the owner of the FortiRecorder appliance, such as admin@example.com.

    This option appears only if ID Type is E-Mail.

    Key type

    Displays the type of algorithm used to generate the key.

    This option cannot be changed, but appears in order to indicate that only RSA is currently supported.

    Key size

    Select a secure key size of 512 Bit, 1024 Bit, 1536 Bit or 2048 Bit. Larger keys are slower to generate, but provide better security.

    Optional Information: Organization unit

    Optional. Type the name of your organizational unit (OU), such as the name of your department.

    To enter more than one OU name, click the + icon, and enter each OU separately in each field.

    Optional Information: Organization

    Optional. Type the legal name of your organization.

    Optional Information: Locality (City)

    Optional. Type the name of the city or town where the FortiRecorder appliance is located.

    Optional Information: State/Province

    Optional. Type the name of the state or province where the FortiRecorder appliance is located.

    Optional Information: Country/Region

    Optional. Select the name of the country where the FortiRecorder appliance is located.

    Optional Information: E-mail

    Optional. Type an email address that may be used for contact purposes, such as admin@example.com.

  5. Select OK.

    The FortiRecorder appliance creates a private and public key pair. The generated request includes the public key of the FortiRecorder appliance and information such as the FortiRecorder appliance’s IP address, domain name, or email address. The FortiRecorder appliance’s private key remains confidential on the FortiRecorder appliance. The Status column of the entry is Pending.
  6. Click to select the row that corresponds to the certificate request.
  7. Select Download.

    Standard dialogs appear with buttons to save the file at a location you select. Your web browser downloads the certificate request (.csr) file. Time required varies by the size of the file and the speed of your network connection.
  8. Upload the certificate request to your CA

    After you submit the request to a CA, the CA will verify the information in the certificate, give it a serial number, an expiration date, and sign it with the public key of the CA.
  9. If you are not using a commercial CA whose root certificate is already installed by default on web browsers, download your CA’s root certificate, then install it on all computers that will be connecting to your appliance. (If you do not install these, those computers may not trust your new certificate.)
  10. When you receive the signed certificate from the CA, upload the certificate to the FortiRecorder appliance (see “Uploading & selecting to use a certificate”).

Uploading & selecting to use a certificate

You can import (upload) either:

  • Base64-encoded
  • PKCS #12 RSA-encrypted

X.509 server certificates and private keys to the FortiRecorder appliance. The format of the certificate file that you have, and whether or not it includes the private key, may vary.

DSA-encrypted certificates are not supported if the FortiRecorder appliance is operating in a mode other than reverse proxy. See “Supported features per operation mode” on page 66.

If a server certificate is signed by an intermediate certificate authority (CA) rather than a root CA, before clients will trust the server certificate, you must demonstrate a link with root CAs that the clients trust, thereby proving that the server certificate is genuine. You can demonstrate this chain of trust either by:

  • Appending a signing chain in the server certificate.
  • Installing each intermediary CA’s certificate in clients’ trust store (list of trusted CAs).

Which method is best for you often depends on whether you have a convenient method for deploying CA certificates to clients, such as you may be able to for clients in an internal Microsoft Active Directory domain, and whether you often refresh the server certificate.

To append a signing chain in the certificate itself, before uploading the server certificate to the FortiRecorder appliance

  1. Open the certificate file in a plain text editor.
  2. Append the certificate of each intermediary CA in order from the intermediary CA who signed the local certificate to the intermediary CA whose certificate was signed directly by a trusted root CA.

    For example, an appliance’s certificate that includes a signing chain might use the following structure:
    -----BEGIN CERTIFICATE-----
    <server certificate>

    -----END CERTIFICATE-----

    -----BEGIN CERTIFICATE-----

    <certificate of intermediate CA 1, who signed the server certificate>

    -----END CERTIFICATE-----

    -----BEGIN CERTIFICATE-----

    <certificate of intermediate CA 2, who signed the certificate of intermediate CA 1 and whose certificate was signed by a trusted root CA>

    -----END CERTIFICATE-----

  3. Save the certificate.

To upload a certificate

  1. Go to System > Certificate > Local Certificate.
  2. Select Import and the desired certificate
  3. Configure the following settings:
  4. Type

    Select the type of certificate file to upload, either:

    • Local Certificate — An unencrypted certificate in PEM format.
    • Certificate — An unencrypted certificate in PEM format. The private key is in a separate file.
    • PKCS12 Certificate — A PKCS #12 encrypted certificate with private key.

    Other available settings vary depending on this selection.

    Certificate file

    Select Browse to locate the certificate file that you want to upload.

    This option is available only if Type is Certificate or Local Certificate.

    Key file

    Select Browse to locate the private key file that you want to upload with the certificate.

    This option is available only if Type is Certificate.

    Certificate with key file

    Select Browse to locate the PKCS #12 certificate-with-key file that you want to upload.

    This option is available only if Type is PKCS12 Certificate.

    Password

    Type the password that was used to encrypt the file, enabling the FortiRecorder appliance to decrypt and install the certificate.

    This option is available only if Type is Certificate or PKCS12 Certificate.

  5. Select OK.
  6. To use a certificate, click its row to select it, then select Set status to put it in force.
  7. If your web browser does not yet have your CA’s certificate installed, download it and add it to your web browser’s trust store so that it will be able to validate the appliance’s certificate (see “Uploading trusted CAs’ certificates”).

Uploading trusted CAs’ certificates

In order to authenticate other devices’ certificates, FortiRecorder has a store of trusted CAs’ certificates. Until you upload at least one CA certificate, FortiRecorder does not know and trust any CAs, it cannot validate any other client or device’s certificate, and all of those secure connections will fail.

Tooltip

FortiRecorder may require you to upload certificates and CRLs even if you do not use HTTPS. For example, when sending alert email via SMTPS, or querying an authentication server via LDAPS, FortiRecorder will validate the server’s certificate by comparing the server certificate’s CA signature with the certificates of CAs that are known and trusted by the FortiRecorder appliance.

Certificate authorities (CAs) validate and sign others’ certificates. When FortiRecorder needs to know whether a client or device’s certificate is genuine, it will examine the CA’s signature, comparing it with the copy of the CA’s certificate that you have uploaded in order to determine if they were both made using the same private key. If they were, the CA’s signature is genuine, and therefore the client or device’s certificate is legitimate.

If the signing CA is not known, that CA’s own certificate must likewise be signed by one or more other intermediary CAs, until both the FortiRecorder appliance and the client or device can demonstrate a signing chain that ultimately leads to a mutually trusted (shared “root”) CA that they have in common. Like a direct signature by a known CA, this proves that the certificate can be trusted. For more information on how to include a signing chain, see “Uploading & selecting to use a certificate”.

To upload a CA’s certificate

  1. Obtain a copy of your CA’s certificate file.

    If you are using a commercial CA, your web browser should already contain a copy in its CA trust store. Export a copy of the file to your desktop or other folder. If you are using your own private CA, download a copy from your CA’s server

    Caution

    Verify that your private CA’s certificate does not contain its private keys. Disclosure of private keys compromises the security of your network, and will require you to revoke and regenerate all certificates signed by that CA.

  2. Go to System > Certificate > CA Certificate.
    To view the selected certificate’s issuer, subject, and range of dates within which the certificate is valid,CS: Version number, serial number, and extensions? click a certificate’s row to select it, then click View.
  3. Select Import.
  4. In Certificate name, type a name for the certificate that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters.
  5. Next to Certificate file, select the Browse button and select your CA’s certificate file.
  6. Select OK. Time required to upload the file varies by the size of the file and the speed of your network connection.
  7. To test your configuration, cause your appliance to initiate a secure connection to an LDAPS server (see “To configure an LDAP query” and “To configure an account”).

    If the query fails, verify that your CA is the same one that signed the LDAP server’s certificate, and that its certificate’s extensions indicate that the certificate can be used to sign other certificates. Verify that both the appliance and LDAP server support the same cipher suites and SSL/TLS protocols. Also verify that your routers and firewalls are configured to allow the connection.

Example: Downloading the CA’s certificate from Microsoft Windows 2003 Server

If you are generated and signed your LDAP server’s certificate using Microsoft Certificate Services on Microsoft Windows 2003 or 2008 Server, you must download the CA’s certificate and provide it to the FortiRecorder appliance so that it will be able to verify the CA signature on the certificate.

To download a CA certificate from Microsoft Windows 2003 Server

  1. On your management computer, start your web browser.
  2. Go to:
    https://<ca-server_ipv4>/certsrv/
    where <ca-server_ipv4> is the IP address of your CA server.
  3. Log in as Administrator, since other accounts may not have sufficient privileges. The Microsoft Certificate Services home page for your server’s CA should appear:

  4. Select the Download CA certificate, certificate chain, or CRL link. The Download a CA Certificate, Certificate Chain, or CRL page appears:

  5. Select Base64 from Encoding Method.
  6. Select Download CA certificate.
  7. Select a location to save the CA's certificate file if prompted by your browser.

Revoking certificates

To ensure that your FortiRecorder appliance validates only certificates that have not been revoked, you should periodically upload a current certificate revocation list (CRL), which may be provided by certificate authorities (CA).

Note

Alternatively, you can use HTTP or online certificate status protocol (OCSP) to query for certificate status. For more information, see “Revoking certificates by OCSP query”.

To upload a CRL file

  1. Go to System > Certificate > Certificate Revocation List.
  2. Select Import.
  3. In Certificate name, type the name of the certificate as it will be referred to in the appliance’s configuration file.
  4. Next to Certificate file, click Browse, then select the certificate file.
  5. Select OK.

    The certificate is uploaded to the appliance. TIme required varies by the size of the file and the speed of the network connection, but is typically only a few seconds.

Revoking certificates by OCSP query

Online certificate status protocol (OCSP) enables you to revoke or validate certificates by query, rather than by importing certificate revocation list (CRL) files. Since distributing and installing CRL files can be a considerable burden in large organizations, and because delay between the release and install of the CRL represents a vulnerability window, this can often be preferable.

To use OCSP queries, you must first install the certificates of trusted OCSP/CRL servers.

To view or upload a remote certificate

  1. From your OCSP/CRL server, download its server certificate.
  2. Go to System > Certificate > Remote.
  3. Select Import.
  4. In Certificate name, type the name of the certificate as it will be referred to in the appliance’s configuration file.
  5. Next to Certificate file, click Browse, then select the certificate file.
  6. Select OK.

    The certificate is uploaded to the appliance. Time required varies by the size of the file and the speed of the network connection, but is typically only a few seconds.