Technical Tip: How to generate a self-signed server certificate using the new certificate wizard of v7.0.2

Description

This article describes how, as of FortiOS v7.0.2, the certificate wizard helps to generate local certificates using the self-signed Fortinet_CA_SSL CA certificate.

Scope

This helps to fix the certificate errors for HTTPS or GUI access to FortiGate or for the SSL-VPN portal.

Note: FortiGate can generate a certificate using our self-signed CA: Fortinet_CA_SSL.

Using a server certificate from a trusted CA is strongly recommended.

Solution

Below are the steps to generate the certificate and call it under system settings for HTTPS setting:

Go to: System ->  Certificates ->  Create/Import -> Certificate.

Under the 'Generate New Certificate' and select 'Generate Certificate'.

Certificate authority          : Fortinet_CA_SSL  (pre-populated)

Certtificate name              : mycert (can be of your choice)

Common name                    : 10.40.19.77 (The common name should match the FQDN or IP of the interface)

SAN (Subject Alternative Name) : 10.40.19.77  (FQDN or IP of the interface)

To avoid certificate warnings on the end user machine, must download Fortinet_CA_SSL CA certificate and install it on end user machine.

Select 'Create', then it will be possible to find the certificate 'mycert' under the 'local certificate'.

It is possible to call this cert 'mycert' under System -> Settings -> Administration Settings -> HTTPS server certificate.

Download the Fortinet_CA_SSL CA certificate and install it on the user machine’s certificate store and browser as Trusted Root CA.

If the user tries to access the FortiGate, a 'Not secure' certificate error should not appear.