Fortinet black logo

Installing SSL Certificates

Home FortiNAC-F 7.2.0 Installing SSL Certificates
7.2.0
7.4.0
7.2.0

Step 2: Obtain a Valid SSL Certificate

Step 2: Obtain a Valid SSL Certificate

A Certificate Signing Request (CSR) is issued and submitted to the Certificate Authority (examples are GoDaddy, DigiCert and GlobalSign). Depending upon the type of certificate, the CSR may be generated in FortiNAC, or from another source. The CA then issues the certificates based on the CSR.

Note: FortiNAC does not have the ability to issue certificates.

If a certificate has already been generated, skip this step and proceed to section Upload the Certificate Received from the CA.

To generate a CSR:

  1. Navigate to System > Certificate Management.

  2. Click Generate CSR.

  3. Select the certificate target to generate the CSR. This will be the same target in which the resulting certificate files will be installed.

    Certificate Target

    Admin UI: Generates CSR for the Administration User Interface.

    Local RADIUS Server (EAP): For use when FortiNAC is acting as the 802.1x EAP termination point. For details see Local RADIUS Server.

    Persistent Agent: Generates CSR for Communications between FortiNAC and the Persistent Agent.

    Portal: Generates a CSR to secure the Captive Portal and Dissolvable Agent communications.

    RADIUS Endpoint Trust: Endpoint Trust Certificate used by FortiNAC to validate the client-side certificate when Local RADIUS Server is configured and EAP-TLS is used for authentication. For details see section Local RADIUS Server of the Administration Guide in the Fortinet Document Library.

  4. Enter the Common Name (Fully-Qualified Host Name). This is the Host Name to be secured by the certificate. If generating a wildcard CSR, enter the desired domain specifying the wildcard in the Common Name Field (e.g. *.Fortinetnetworks.com).

  5. Whether or not you are securing a single name or multiple names, enter the Common Name in the Subject Alternative Name list with any other SANs. Some browsers only check the SAN list and no longer check the CN for name comparison.

  6. Enter the remaining information for the certificate in the dialog box.

  7. Click OK to generate the CSR.

    Note: The Private Key that corresponds with the CSR is stored on the appliance. Once the SSL Certificate is uploaded, to view the Private Key, click the Details button and select the Private Key tab.

  8. Copy ALL the text, even including “----BEGIN CERTIFICATE REQUEST-----” and “-----END CERTIFICATE REQUEST-----”

  9. Paste it into a text file, and save the file with a .txt extension. Note the location of this file on your PC.

    Important: Make sure there are no spaces, characters or carriage returns added to the Certificate Request.

  10. Click Close to exit the "Certificate Generated" screen.

  11. Send the Certificate Request file to the CA to request a Valid SSL Certificate. Note the following before submitting:

    • Acceptable certificate formats: PEM, PKCS#7/P7B

    • Required format when installing certificates via CLI*: PEM

    • Local domain certificates: Use Web Service template

    • Public certificates: Use Apache Mod or similar

    • Agent versions prior to 3.1.5 are not compatible with SHA2. Contact Support to verify appropriate SHA version based on current deployment.

    • Do not generate a new CSR for the same target after submitting request to CA. Generating more than one certificate request for a single target will overwrite the previous private key stored in the temporary location with a new private key. Certificates obtained using the initial certificate request would then be invalid as the private key no longer matches.

*If conversion is required, see Appendix section SSL File Conversion Tool Chart.

Previous
Next

Step 2: Obtain a Valid SSL Certificate

A Certificate Signing Request (CSR) is issued and submitted to the Certificate Authority (examples are GoDaddy, DigiCert and GlobalSign). Depending upon the type of certificate, the CSR may be generated in FortiNAC, or from another source. The CA then issues the certificates based on the CSR.

Note: FortiNAC does not have the ability to issue certificates.

If a certificate has already been generated, skip this step and proceed to section Upload the Certificate Received from the CA.

To generate a CSR:

  1. Navigate to System > Certificate Management.

  2. Click Generate CSR.

  3. Select the certificate target to generate the CSR. This will be the same target in which the resulting certificate files will be installed.

    Certificate Target

    Admin UI: Generates CSR for the Administration User Interface.

    Local RADIUS Server (EAP): For use when FortiNAC is acting as the 802.1x EAP termination point. For details see Local RADIUS Server.

    Persistent Agent: Generates CSR for Communications between FortiNAC and the Persistent Agent.

    Portal: Generates a CSR to secure the Captive Portal and Dissolvable Agent communications.

    RADIUS Endpoint Trust: Endpoint Trust Certificate used by FortiNAC to validate the client-side certificate when Local RADIUS Server is configured and EAP-TLS is used for authentication. For details see section Local RADIUS Server of the Administration Guide in the Fortinet Document Library.

  4. Enter the Common Name (Fully-Qualified Host Name). This is the Host Name to be secured by the certificate. If generating a wildcard CSR, enter the desired domain specifying the wildcard in the Common Name Field (e.g. *.Fortinetnetworks.com).

  5. Whether or not you are securing a single name or multiple names, enter the Common Name in the Subject Alternative Name list with any other SANs. Some browsers only check the SAN list and no longer check the CN for name comparison.

  6. Enter the remaining information for the certificate in the dialog box.

  7. Click OK to generate the CSR.

    Note: The Private Key that corresponds with the CSR is stored on the appliance. Once the SSL Certificate is uploaded, to view the Private Key, click the Details button and select the Private Key tab.

  8. Copy ALL the text, even including “----BEGIN CERTIFICATE REQUEST-----” and “-----END CERTIFICATE REQUEST-----”

  9. Paste it into a text file, and save the file with a .txt extension. Note the location of this file on your PC.

    Important: Make sure there are no spaces, characters or carriage returns added to the Certificate Request.

  10. Click Close to exit the "Certificate Generated" screen.

  11. Send the Certificate Request file to the CA to request a Valid SSL Certificate. Note the following before submitting:

    • Acceptable certificate formats: PEM, PKCS#7/P7B

    • Required format when installing certificates via CLI*: PEM

    • Local domain certificates: Use Web Service template

    • Public certificates: Use Apache Mod or similar

    • Agent versions prior to 3.1.5 are not compatible with SHA2. Contact Support to verify appropriate SHA version based on current deployment.

    • Do not generate a new CSR for the same target after submitting request to CA. Generating more than one certificate request for a single target will overwrite the previous private key stored in the temporary location with a new private key. Certificates obtained using the initial certificate request would then be invalid as the private key no longer matches.

*If conversion is required, see Appendix section SSL File Conversion Tool Chart.

Previous
Next