Generate User IPsec x509 certificate

Forum|Forum|8 years ago
July 17, 2017
1 reply
6201 views

I have generate the cacert and private key, and uploaded to fotiWiFi 60E. I did this using OpenSSL following the instructions in FortiOS 5.6 - Authentication manual (page 122).

Now, how do I generate the user certificate for IPsec tunel ? This, the certificate that every user connecting to the IPsec tunel must have installed in its computer to be able to connect.

Regards,

EMES

New Member

You would have to generate them using OpenSSL like you did with the CA Cert, The Fortigate has no mechanism to generate certificates, only Certificate Signing Requests. Use the CA to sign the user cert in OpenSSL. You can also do this automatically using automatic certificate enrollment if you are using active directory and a Certificate authority server.

TonatiuhAuthor

New Member

Thank you EMES. I already new that theory.

Would you have the command syntax for that purpose?

Best regards,

emnoc

New Member

Easy

The USER cert signing needs the USER.csr CA-key and CA-cert

(here's my own CA signing a usercert that has a CN=<usernamebahblab> )

openssl x509 -req -sha256 -days 366 -CA SOCPUPPETSCAroot.cert -CAkey SOCPUPPETSCArsa.key -CAcreateserial -in usernameblah.csr -out usernamblah.crt

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded