Technical Tip: How to configure FortiManager SD-WAN Certificates for usage with FortiSASE SPA tunnel

Description

This article describes a workaround process for generating certificates using FortiManager's CA certificates that can be used for IPsec certificate authentication on FortiSASE. This is useful for cases where FortiSASE is connecting via Secure Private Access (SPA) to an existing ADVPN tunnel that uses certificate-authentication managed by FortiManager.

Scope

FortiManager, FortiSASE.

Solution

Organizations using FortiManager for SD-WAN deployments often utilize FortiManager to generate and manage certificates used for authentication to IPsec/ADVPN (as opposed to using pre-shared keys). For example, FortiManager v7.6 supports the option to integrate Signature-based authentication into SD-WAN Overlay Templates, so having certificates centrally managed via FortiManager can be useful for streamlining deployments (see: FortiManager 7.6 New Features - Certificate/Certificate Template integrated to the SD-WAN Overlay Template).

However, a problem can occur when attempting to integrate FortiSASE into an existing SD-WAN/ADVPN network that uses certificate-authentication, as FortiManager does not natively support generating and uploading certificates directly to FortiSASE (work is ongoing to enhance FortiSASE-FortiManager integrations).

To work around this, administrators must manually extract the Certificate Authority (CA) certificate and private key from FortiManager and then externally generate/sign certificates for usage with FortiSASE. The following steps detail the procedure for doing this:

Extracting the root CA and private key from FortiManager

1. Access the FortiManager CLI, either via the GUI-based Web CLI (using the '>_' symbol in the top-right corner) or via SSH.
2. Run the following command, adjusting the parameters as required:

FMG execute fmpolicy print-adom-object <adom_id_num> <vpn_certificate_ca_category_id> <ca_cert_name>

Example command and output sample:

execute fmpolicy print-adom-object 3 52 root_CA3

Dump object [root_CA3] of category [vpn certificate ca] in adom [root]:
---------------
config vpn certificate ca
edit 'root_CA3'
set ca '-----BEGIN CERTIFICATE-----
[output redacted]
-----END CERTIFICATE-----'
set _private_key '-----BEGIN PRIVATE KEY-----
[output redacted]
-----END PRIVATE KEY-----'

next

end

3. Copy the contents of set ca and set _private_key (everything between double-quotes, including the '-----BEGIN' and '-----END' statements), paste each set separately into a text editor, then save the files as follows:
   • Certificate block -> ca-cert.pem
   • Private key block  -> ca_key.pem

Generating a certificate and private key for FortiSASE using an OpenSSL script:

With the FortiManager CA certificate and private key available, it is now possible to generate/sign certificates outside of FortiManager using tools such as OpenSSL. For reference, a Linux shell script (generate_sase_cert.sh., in a .zip archive) has been attached to this article that contains commands required to generate a certificate for FortiSASE signed by the exported FortiManager certificate/private key. The following steps detail how to use this script:

Caution:

Always review the contents of shell scripts obtained from the Internet and understand what the intended function is before executing them.

1. Download the script to a Linux host that has OpenSSL available.
2. Make the shell script executable using the chmod utility:

chmod +x generate-sase-cert.sh

3. Run the script using the following commands, substituting the parameters with the appropriate names:
   • Optional: to change the certificate validity period, specify an optional fourth parameter with the number of days (e.g. 730 days = 2 years, default setting is 365).

./generate-sase-cert.sh <Path_to_CA_Cert> <Path_to_CA_Priv_Key> <Certificate_Subject> <optional_validity_in_days>

Example command and output sample:

./generate-sase-cert.sh ca-cert.pem ca_key.pem '/CN=FortiSASE-SPA' 730

[*] Generating Private Key...
[output redacted]
[*] Generating CSR...
[*] Signing the Certificate with the CA...
Certificate request self-signature ok
subject=CN=FortiSASE SPA
[*] Creating PKCS#12 (.p12) with random password...
[+] Generated Certificate: FortiSASE-SPA.pem
[+] Generated Private Key: FortiSASE-SPA.key
[+] PKCS#12 (.p12) Generated: FortiSASE-SPA.p12
[+] Password of PKCS#12: [output redacted]
-----BEGIN CERTIFICATE-----
[output redacted]
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
[output redacted]
-----END PRIVATE KEY-----

Upon completion of the script, a new certificate and private key (both in PEM format) are created, as well as a PKCS#12 bundle (.p12) and corresponding password. Either set may be used when importing the certificate to FortiSASE.

Importing the FortiManager CA certificate into FortiSASE:

1. Log in to the FortiSASE web interface, then navigate to System -> Certificates.
2. Select Import -> Remote Certificate, then change the Type to Remote CA Certificate.
3. Select Upload, then select the FortiManager CA certificate (e.g. ca_key.pem).
4. Assign a name to the certificate, such as 'FortiManager_CA'
5. Select OK to confirm the import.

Importing the new certificate and key to FortiSASE

1. Log in to the FortiSASE web interface, then navigate to System -> Certificates.
2. Select Import -> Local Certificate, then select either PKCS#12 Certificate (for uploading a .p12 bundle with a password) or Certificate (for uploading the certificate and private key file separately).
3. Select Upload, then upload files based on the option selected in Step 2:
   • If using PCKS#12 Certificate, then select the .p12 file generated by the script (e.g., FortiSASE-SPA.p12).
   • If using Certificat,e then select the Certificate File (e.g. FortiSASE-SPA.pem) and the Key File (e.g. FortiSASE-SPA.key)
4. The Password field is only required when using the PCKS#12 Certificate, in which case, use the password produced by the shell script used earlier. Otherwise, leave the password field empty if using the Certificate option.
5. Select OK to confirm the import.

With the FortiManager CA certificate and the FortiSASE end-entity certificate/key imported, it becomes possible to configure FortiSASE for certificate-based authentication on the SPA tunnel. For more information on configuring this, including creating PKI users and new SPA service connections on FortiSASE, refer to the following documentation:

FortiSASE Mature Admin Guide - PKI

FortiSASE Mature Admin Guide - Configuring a new service connection