Technical Tip : Generate and sign certificates using OpenSSL in Windows OS for VPN.

1. Create a CA with OpenSSL:

# req -new -x509 -days 3650 -keyout caprivatekey.pem -out cacertificate.pem

Note:

cacertificate.pem is the public key and should be imported into the FortiGate.

2. Generate a Certificate Request on the FortiGate and download it.
3. Sign the FortiGate certificate.

# x509 -req -in VPNSSL.csr -CA cacertificate.pem -CAkey caprivatekey.pem -CAcreateserial -out VPNSSL.cer -days 3650 -sha256

4. Import the signed certificate (VPNSSL.cer) into the FortiGate as a 'local certificate'. This can now be used in IPSec or SSLVPN configuration as a server certificate.

Note:

The certificates and private keys that were signed and generated should be located in the 'bin' folder of OpenSSL(i.e. C:\Program Files\OpenSSL-Win64\bin).

5. Create user certificate.

# req -new -nodes -out usercert.csr -keyout usercert.key

# x509 -req -in usercert.csr -CA cacertificate.pem -CAkey caprivatekey.pem -CAcreateserial -out usercert.cer -days 3650 -sha256

# pkcs12 -export -out usercert.pfx -inkey usercert.key -in usercert.cer

6. Upload cacertificate.pem to FortiGate as CA certificate. Bind this CA_Cert_X to the PKI users:

7. Import the usercert.pfx certificate into the Personal Section on the Certificates management console.