Skip to main content
mdeparisse_FTNT
Staff
mdeparisse_FTNT
Staff
July 2, 2019

Technical Tip: How to generate a web server certificate CSR for the FortiManager/FortiAnalyzer using Windows PKI

  • July 2, 2019
  • 0 replies
  • 10689 views

Description


This article describes how to generate a web server certificate for the FortiManager or FortiAnalyzer using Windows PKI. This article covers how to set a server certificate installed on the FortiManager/FortiAnalyzer so that a trusting connection can occur.

 

Scope

 

FortiManager, FortiAnalyzer.

Solution

 

Generate a CSR for the Certificate Authority as follows:
 
CSR.png

 

A SAN or subject alternative name is a formatted way to indicate all of the domain names and IP addresses that are secured by the certificate.

For Chrome 58 and later, only the subjectAlternativeName extension, not commonName, is used to match the domain name and site certificate

Give the Subject Alternative Name (SAN) domain name and IP without spaces and separated by a comma.
A name can be:
 
e-mail address.
IP address.
URI.
DNS name (alternatives to the Common Name).
directory name (alternatives to the Distinguished Name).

Precede the name with the name type. Examples:

IP:1.1.1.1
email:test@fortinet.com
email:my@other.address
URI:http://my.url.here/
 
For example: DNS:fortinet.com, IP:1.1.1.1.
Select Download to get the CSR.
 
 
Extract the CSR and export it to the CS Certificate Authority.
 
 
Connect to the Certificate Authority.
 
 
Note: SHA-1 certificates are no longer supported by modern browsers (Chrome 56+, Firefox 51+, and later versions).
Using the SHA-1 signature algorithm may result in a complete loss of web GUI access.
Always use SHA-256 or stronger signature algorithms (SHA-384, SHA-512) when generating or importing certificates.
 
SHA1 Certificate.png
 
Select Request a Certificate and advance certificate request.
'Copy and paste' the CSR request and use Web Server as Certificate Template as follows:
 
 
Download the certificate.
 
 
Upload the generated certificate to FortiManager or FortiAnalyzer.
 
 
The status of the certificate is now OK, as follows:
 
 
It is possible to install the root CA on the management station so that the Web Server can be validated.
To download the CA certificate, navigate to the certsrv and choose 'Download a CA certificate' and then 'Download CA certificate'.
 
 
Then use the imported Certificate in the FortiManager or FortiAnalyzer:
 
config system admin setting
    set admin_server_cert "FMG-Cert"
end
 
Or through the GUI on System Settings -> Settings -> Administration Settings -> HTTPS & web service certificate -> Select the certificate created (in this scenario, here it is 'FMG-Cert').
 
fmg-cert.JPG

 

Once completed, import it into the CA repository.
 
 
Related articles:
Technical Note: Import CA certificates in FortiManager or FortiAnalyzer
Technical Tip: Certificate errors in Google Chrome for FortiManager and FortiAnalyzer SSL certificates
Technical Tip: How to sign a certificate with Subject Alternate Name (SAN)
Technical Tip: How to upload and set local certificate to be used in FortiManager/FortiAnalyzer
Technical Tip: How to test a custom certificate for the FortiManager management interface
    Terms & ConditionsAccessibility statement