Technical Tip: Sign FortiAuthenticator/FortiGate CSR on Windows PKI via command line

The CSR created on FortiAuthenticator or FortiGate, with the Third-party CA certificate signing option, can be signed by Windows PKI from the command line. This approach will always work and resolve the issue with Windows PKI GUI.

Windows CLI needs to be executed with admin privileges:

1. Export the CSR to certutil.csr file.
2. Copy the CSR to the Windows PKI server. For example, in C:\tmp\certutil\certutil.csr.
3. List all available certificate templates available on the PKI server from Windows CLI:

C:\Users\Administrator>certutil -CATemplates

4. Signing certutil.csr  request with WebSrv CATemplate:

C:\tmp\certutil>certreq -submit -attrib "CertificateTemplate:WebSrv" certutil.csr

Select the Certification Authority from the list.

Select 'OK'.

Save the Certificate and select Save.

Import signed.cer to FortiAuthenticator or FortiGate to merge it with CSR.