Working with certificates

Working with certificates

When a FortiRecorder appliance initiates or receives an TLS connection, it will use certificates. Certificates can be used in secure connections with encryption and authentication.

FortiRecorder may require you to upload certificates and CRLs even if you do not use HTTPS. For example, when sending alert email via SMTPS, or querying an authentication server via LDAPS, FortiRecorder will validate the server's certificate by comparing the server certificate's CA signature with the certificates of CAs that are known and trusted by the FortiRecorder appliance. See Uploading trusted CAs' certificates and Revoking certificates.

Replacing the default certificate for the GUI

For HTTPS connections with the GUI and other TLS-secured services, FortiRecorder has its own X.509 server certificate. By default, the FortiRecorder appliance presents the "Factory" certificate, which can be used to encrypt the connection, but whose authenticity cannot be guaranteed and therefore may not be trusted by your web browser. This will cause your web browser to display a security alert, indicating that the connection may have been intercepted.

To prevent this false alarm, you can go to System > Certificate > Local Certificate to replace the certificate with one that is signed by your own CA so that it will be trusted. Thereafter, a security alert will only occur if:

• the certificate expires
• your CA revokes the certificate
• the connection has been compromised by a man-in-the-middle attack

If you have not yet requested a certificate from your CA, and if it requires one, you must first generate a certificate signing request (see Generating a certificate signing request). Otherwise, start with Uploading & selecting to use a certificate.

GUI Item	Description
View	Select to view the selected certificate's issuer, subject, and range of dates within which the certificate is valid
Delete	Select to delete the selected certificate.
Generate	Select to generate a certificate signing request. For details, see Generating a certificate signing request.
Download	Select to download the selected certificate's entry in certificate (CER), PKCS #12 (P12), or certificate signing request (CSR) file format. PKCS #12 is recommended if you require a certificate backup that includes the private key. Certificate backups can also be made by downloading a configuration file backup, which includes all certificates and keys.
Set status	To configure your FortiRecorder appliance to use a certificate, click its row to select it, then click this button. A confirmation dialog will appear, asking if you want to use it as the "default" (currently in use) certificate. Click OK. The Status column will change to reflect the new status.
Import	Select to upload a certificate. For details, see Uploading & selecting to use a certificate .
Name	Displays the name of the certificate according to the appliance's configuration file. This will not be visible to clients.
Subject	Displays the distinguished name (DN) located in the Subject: field of the certificate. If the row contains a certificate request which has not yet been signed, this field is empty.
Status	Displays the status of the certificate. Default — Indicates that this certificate will be used whenever a client attempts to connect to the appliance. Only one certificate can be in use at any given time. OK — Indicates that the certificate was successfully imported. To use the certificate, select it, then use Set status to change its status. Pending — Indicates that the certificate request (CSR) has been generated, but must be downloaded, signed, and imported before it can be used as a server certificate.

Generating a certificate signing request

Many commercial certificate authorities (CAs) will provide a web site where you can generate your own certificate signing request (CSR). A CSR is an unsigned certificate file that the CA will sign. When the CSR is generated, the associated private key that the appliance will use to sign and/or encrypt connections with clients is also generated.

If your CA does not provide this, or if you have your own private CA such as a Linux server with OpenSSL, or Microsoft Active Directory, you can use the appliance generate a CSR and private key. This CSR can then be submitted for verification and signing by the CA.

To generate a certificate request

1. Go to System > Certificate > Local Certificate.
2. Select Generate.

3. Configure the certificate signing request:

   Setting Name	Description
   Certification name	Enter a unique name for the certificate request, such as fortirecorder.example.com. This can be the name of your appliance.
   Subject Information: ID Type	Select the type of identifier to use in the certificate to identify the FortiRecorder appliance: Host IP — Select if the FortiRecorder appliance has a static IP address and enter the public IP address of the FortiRecorder appliance in the IP field. If the FortiRecorder appliance does not have a public IP address, use E-Mail or Domain Name instead. Domain Name — Select if the FortiRecorder appliance has a static IP address and subscribes to a dynamic DNS service. Enter the FQDN of the FortiRecorder appliance, such as fortirecorder.example.com, in the Domain Name field. Do not include the protocol specification (https://) or any port number or path names. E-Mail — Select and enter the email address of the owner of the FortiRecorder appliance in the E-mail field. Use this if the appliance does not require either a static IP address or a domain name. The type you should select varies by whether or not your FortiRecorder appliance has a static IP address, a fully-qualified domain name (FQDN), and by the primary intended use of the certificate. For example, if your FortiRecorder appliance has both a static IP address and a domain name, but you will primarily use the local certificate for HTTPS connections to the GUI by the domain name of the FortiRecorder appliance, you might prefer to generate a certificate based upon the domain name of the FortiRecorder appliance, rather than its IP address.
   Subject Information: IP	Type the static IP address of the FortiRecorder appliance, such as 10.0.0.1. The IP address should be the one that is visible to clients. Usually, this should be its public IP address on the Internet, or a virtual IP that you use NAT to map to the appliance's IP address on your private network. This option appears only if ID Type is Host IP.
   Subject Information: Domain Name	Type the fully qualified domain name (FQDN) of the FortiRecorder appliance, such as www.example.com. The domain name must resolve to the static IP address of the FortiRecorder appliance. See also Configuring network interfaces . This option appears only if ID Type is Domain Name.
   Subject Information: E-mail	Type the email address of the owner of the FortiRecorder appliance, such as admin@example.com. This option appears only if ID Type is E-Mail.
   Key type	Displays the type of algorithm used to generate the key. This option cannot be changed, but appears in order to indicate that only RSA is currently supported.
   Key size	Select a secure key size of 512 Bit, 1024 Bit, 1536 Bit or 2048 Bit. Larger keys are slower to generate, but provide better security.
   Optional Information: Organization unit	Optional. Type the name of your organizational unit (OU), such as the name of your department. To enter more than one OU name, click the + icon, and enter each OU separately in each field.
   Optional Information: Organization	Optional. Type the legal name of your organization.
   Optional Information: Locality (City)	Optional. Type the name of the city or town where the FortiRecorder appliance is located.
   Optional Information: State/Province	Optional. Type the name of the state or province where the FortiRecorder appliance is located.
   Optional Information: Country/Region	Optional. Select the name of the country where the FortiRecorder appliance is located.
   Optional Information: E-mail	Optional. Type an email address that may be used for contact purposes, such as admin@example.com.

4. Click OK.

   The FortiRecorder appliance creates a private and public key pair. The generated request includes the public key of the FortiRecorder appliance and information such as the FortiRecorder appliance's IP address, domain name, or email address. The FortiRecorder appliance's private key remains confidential on the FortiRecorder appliance. The Status column of the entry is Pending.

5. Click to select the row that corresponds to the certificate request.

6. Click Download.

   Standard dialogs appear with buttons to save the file at a location you select. Your web browser downloads the certificate request (CSR) file. Time required varies by the size of the file and the speed of your network connection.

7. Upload the certificate request to your CA.

   After you submit the request to a CA, the CA will verify the information in the certificate, give it a serial number, an expiration date, and sign it with the public key of the CA.

8. If you are not using a commercial CA whose root certificate is already installed by default on web browsers, download your CA's root certificate, then install it on all computers that will be connecting to your appliance. (If you do not install these, those computers may not trust your new certificate.)

9. When you receive the signed certificate from the CA, upload the certificate to the FortiRecorder appliance (see Uploading & selecting to use a certificate).

Uploading & selecting to use a certificate

You can import (upload) either:

• Base64-encoded
• PKCS #12 RSA-encrypted

X.509 server certificates and private keys to the FortiRecorder appliance. The format of the certificate file that you have, and whether or not it includes the private key, may vary.

If a server certificate is signed by an intermediate certificate authority (CA) rather than a root CA, before clients will trust the server certificate, you must demonstrate a link with root CAs that the clients trust, thereby proving that the server certificate is genuine. You can demonstrate this chain of trust either by:

• Appending a signing chain in the server certificate.
• Installing each intermediary CA's certificate in clients' trust store (list of trusted CAs).

Which method is best for you often depends on whether you have a convenient method for deploying CA certificates to clients, such as you may be able to for clients in an internal Microsoft Active Directory domain, and whether you often refresh the server certificate.

To append a signing chain in the certificate itself, before uploading the server certificate to the FortiRecorder appliance

1. Open the certificate file in a plain text editor.

2. Append the certificate of each intermediary CA in order from the intermediary CA who signed the local certificate to the intermediary CA whose certificate was signed directly by a trusted root CA.

   For example, an appliance's certificate that includes a signing chain might use the following structure:

   -----BEGIN CERTIFICATE-----

   <server certificate>

   -----END CERTIFICATE-----

   -----BEGIN CERTIFICATE-----

   <certificate of intermediate CA 1, who signed the server certificate>

   -----END CERTIFICATE-----

   -----BEGIN CERTIFICATE-----

   <certificate of intermediate CA 2, who signed the certificate of intermediate CA 1 and whose certificate was signed by a trusted root CA>

   -----END CERTIFICATE-----

3. Save the certificate.

To upload a certificate

1. Go to System > Certificate > Local Certificate.

2. Click Import.

3. Configure the following settings:

   Setting Name	Description
   Type	Select the type of certificate file to upload, either: Local Certificate — An unencrypted certificate in PEM format. Certificate — An unencrypted certificate in PEM format. The private key is in a separate file. PKCS12 Certificate — A PKCS #12 encrypted certificate with private key. Other available settings vary depending on this selection.
   Certificate file	Click Browse to locate the certificate file that you want to upload. This option is available only if Type is Certificate or Local Certificate.
   Key file	Click Browse to locate the private key file that you want to upload with the certificate. This option is available only if Type is Certificate.
   Certificate with key file	Click Browse to locate the PKCS #12 certificate-with-key file that you want to upload. This option is available only if Type is PKCS12 Certificate.
   Password	Type the password that was used to encrypt the file, enabling the FortiRecorder appliance to decrypt and install the certificate. This option is available only if Type is Certificate or PKCS12 Certificate.

4. Click OK.
5. To use a certificate, click its row to select it, then select Set status to put it in force.
6. If your web browser does not yet have your CA's certificate installed, download it and add it to your web browser's trust store so that it will be able to validate the appliance's certificate (see Uploading trusted CAs' certificates).

Uploading trusted CAs' certificates

In order to authenticate other devices' certificates, FortiRecorder has a store of trusted CAs' certificates. Until you upload at least one CA certificate, FortiRecorder does not know and trust any CAs, it cannot validate any other client or device's certificate, and all of those secure connections will fail.

FortiRecorder may require you to upload certificates and CRLs even if you do not use HTTPS. For example, when sending alert email via SMTPS, or querying an authentication server via LDAPS, FortiRecorder will validate the server's certificate by comparing the server certificate's CA signature with the certificates of CAs that are known and trusted by the FortiRecorder appliance.

Certificate authorities (CAs) validate and sign others' certificates. When FortiRecorder needs to know whether a client or device's certificate is genuine, it will examine the CA's signature, comparing it with the copy of the CA's certificate that you have uploaded in order to determine if they were both made using the same private key. If they were, the CA's signature is genuine, and therefore the client or device's certificate is legitimate.

If the signing CA is not known, that CA's own certificate must also be signed by one or more other intermediary CAs, until both the FortiRecorder appliance and the client or device can demonstrate a signing chain that ultimately leads to a mutually trusted (shared "root") CA that they have in common. Like a direct signature by a known CA, this proves that the certificate can be trusted. For more information on how to include a signing chain, see Uploading & selecting to use a certificate.

To upload a CA's certificate

1. Download a copy of your CA's certificate file.

   If you are using a commercial CA, your web browser should already have a copy in its CA trust store. Export a copy of the file to your desktop or other folder. If you are using your own private CA, download a copy from your CA's server.

   Verify that your private CA's certificate does not contain its private keys. Disclosure of private keys compromises the security of your network, and will require you to revoke and regenerate all certificates signed by that CA.

2. Go to System > Certificate > CA Certificate.

   To view the selected certificate's issuer, subject, and range of dates within which the certificate is valid, click a certificate's row to select it, then click View.

3. Click Import.
4. In Certificate name, type a name for the certificate that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters.
5. Click Browse and select your CA's certificate file.

6. Click OK.

   Time required to upload the file varies by the size of the file and the speed of your network connection.

7. To test your configuration, initiate a secure connection to an LDAPS server (see Configuring LDAP authentication and Configuring user and administrator accounts ).

   If the query fails, verify that your CA is the same one that signed the LDAP server's certificate, and that its certificate's extensions indicate that the certificate can be used to sign other certificates. Verify that both the appliance and LDAP server support the same cipher suites and SSL/TLS protocols. Also verify that your routers and firewalls are configured to allow the connection.

Revoking certificates

To ensure that your FortiRecorder appliance validates only certificates that have not been revoked, you should periodically upload a current certificate revocation list (CRL), which can be provided by certificate authorities (CA).

Alternatively, you can use HTTP or online certificate status protocol (OCSP) to query for certificate status. For more information, see Revoking certificates by OCSP query.

To upload a CRL file

1. Go to System > Certificate > Certificate Revocation List.
2. Click Import.
3. In Certificate name, type the name of the certificate as it will be referred to in the appliance's configuration file.
4. Next to Certificate file, click Browse, then select the certificate file.

5. Click OK.

   The certificate is uploaded to the appliance. Time required varies by the size of the file and the speed of the network connection, but is typically only a few seconds.

Revoking certificates by OCSP query

Online certificate status protocol (OCSP) enables you to revoke or validate certificates by query, rather than by importing certificate revocation list (CRL) files. Since distributing and installing CRL files can be a considerable burden in large organizations, and because delay between the release and install of the CRL represents a vulnerability window, this can often be preferable.

To use OCSP queries, you must first install the certificates of trusted OCSP/CRL servers.

To view or upload a remote certificate

1. Download the server certificate from your OCSP/CRL server.
2. Go to System > Certificate > Remote.
3. Click Import.
4. In Certificate name, type the name of the certificate as it will be referred to in the appliance's configuration file.
5. Click Browse and then select the certificate file.

6. Click OK.

   The certificate is uploaded to the appliance. Time required varies by the size of the file and the speed of the network connection, but is typically only a few seconds.