Skip to main content
Somashekara_Hanumant
Staff & Editor
Somashekara_Hanumant
Staff & Editor
April 14, 2020

Technical Tip: How to sign a certificate with Subject Alternate Name (SAN)

  • April 14, 2020
  • 0 replies
  • 19217 views

Description


This article describes how to sign certificate with Subject Alternate Name for FortiGate admin GUI by FortiAuthenticator.

 

Scope

 

FortiAuthenticator.

Solution


Assign the local certificate to the FortiGate admin interface after signing it on FortiAuthenticator.

If the user has both FortiGate and FortiAuthenticator and if this user wishes to sign the certificate on FortiAuthenticator (FortiAuthenticator acts as certificate authority) and import to FortiGate and configure for FortiGate admin GUI, after signing the certificate, after installing the CA certificate on browser store or local system and try to access the FortiGate admin GUI interface on chrome, 'Invalid Certificate' message will appear.

This is because of an incorrect SAN.

Configuration:
If the certificates feature is not available under System, then enable the feature from System -> Feature Visibility -> Certificates and select 'Apply'.

Generating a CSR certificate on FortiGate.


Important reminders when creating CSR: Make sure that it is filled in the required information. For this example, an IP address for GUI access is used, but it is possible to use a Domain Name too if FortiGate is accessed via FQDN or DNS.

 

CSR.jpg

 

 

For the Subject Alternative Name (SAN), make sure that the parameters are correct. For FQDN, use DNS:Your-FQDN, and for IP, just add the IP:Your-IP.

Use a comma and space to add more entries. The final look should be like this: DNS:fgt.fortinet.com, IP:10.5.20.141. Afterwards, select 'Okay.'

 

To ensure proper inclusion of SAN values on FortiManager and FortiAnalyzer, always use:

DNS:example.com for DNS names.

IP:x.x.x.x for IP addresses.

 

Once it is generated, the status will show as 'Pending. Download 'FortiGate_Admin.csr' certificate to get it signed by FortiAuthenticator.

Generating a CA certificate on FortiAuthenticator.
 
 
Once FortiGate_FAC CA is created, export the same.

Sign the CSR  'FortiGate_Admin.csr' on FortiAuthenticator, going to Certificate Authorities -> End Entities -> User -> Import.
 
 
Once it is signed, export the 'FortiGate_Admin.cer' from Certificate Authorities -> End Entities -> User -> Export Certificate.

Import the 'FortiGate_Admin.cer' certificate on FortiGate. Under System -> Certificates -> Import -> Local Certificate -> Upload, select 'FortiGate_Admin.cer', if the certificate was generated correctly, it will import without any issues, and the status will change to 'Active' now.

Import the 'FortiGate_FAC.ca' under System -> Certificates -> Import -> CA certificate -> File, select the 'FortiGate_FAC.ca', and import.

Assign the 'FortiGate_Admin.cer' to the FortiGate admin interface from System -> Settings -> HTTPS server certificate, select 'FortiGate_Admin' and apply.

Install the 'FortiGate_FAC.ca' certificate on the end user system under 'Trusted Root Certification Authorities', for Mozilla Firefox requires manual import of the certificate.

Now try to access the FortiGate over https://10.5.20.141, and do not notice any certificate warning messages.

Generate the certificate using the below CLI command and then sign with FortiAuthenticator.

Execute VPN certificate [store] generate [encryption_method] [cert_name] [key_size] [CN] [Country] [State/Province] [Org] [City] [OU] [email] [SANs - optional].
 
 
When 'Subject Alternative Name' is configured with DNS.
 
 

 

Related articles:

Technical Tip: Generate CSR via FortiGate CLI

Technical Tip: How to generate a web server certificate CSR for the FortiManager/FortiAnalyzer using Windows PKI

Terms & ConditionsAccessibility statement