Skip to main content
WickedBuZz
WickedBuZz
New Member
May 28, 2020
Solved

Problem with CSR

  • May 28, 2020
  • 2 replies
  • 8127 views

Hi everyone,

 

I have a problem on Fortigate 600D and Fortigate 60E systems, when i fill the Generate Certificate Signing Request form i cannot use it to get the RapidSSL certificate because of "country code invalid" error. Whether i use Country / Region field or no - i allways get that error code, on multiple CA websites. Country code should be HR which stands for Croatia. Can anyone assist please?

 

Kind regards,

Goran

    Best answer by emnoc

    Here's a workaround 

     

    Build it with microsoft cert-manager or openssl ( CSR ) and then send the CSR off to the CA, once you get a certificate, package it up as pfx and import cert+key into the fortigate.

     

    Yes that would be the simplistic way to over come these issues imho. The on appliance CSR mechanism for FortiOS is flakely at some time. ISO 2 letter validations are strange at some time also and for country not so well known ;)

     

    Ken Felix

     

     

    2 replies

    emnoc
    emnocAnswer
    New Member
    May 28, 2020

    Here's a workaround 

     

    Build it with microsoft cert-manager or openssl ( CSR ) and then send the CSR off to the CA, once you get a certificate, package it up as pfx and import cert+key into the fortigate.

     

    Yes that would be the simplistic way to over come these issues imho. The on appliance CSR mechanism for FortiOS is flakely at some time. ISO 2 letter validations are strange at some time also and for country not so well known ;)

     

    Ken Felix

     

     

    WickedBuZz
    WickedBuZzAuthor
    New Member
    May 28, 2020

    Hey thank you for your help. I'd like to go with microsoft cert manager option but i would be very thankfull if you could find a good guide about it and send me the link... i found some but i'm not sure if its about using the mmc console and Creating a Custom Request? after the wizard i end up with a "request file"

     

    -----BEGIN NEW CERTIFICATE REQUEST-----

    -----END NEW CERTIFICATE REQUEST-----

     

    WickedBuZz
    WickedBuZzAuthor
    New Member
    June 8, 2020

    How can i get a new firmware for Fortigate 60E? I'm unable to generate this csr and crt, not even on 600D device. I mean, i can generate the csr via GUI, but i can't get it signed at CA because of invalid country code error. Can Fortinet team assist please?

    emnoc
    emnoc
    New Member
    June 10, 2020

    Please drop your csr here so we can see what you did? Just give the subject line . 

     

    The signing issue is that of the signer  & is not the fortigate imho.

     

    1> here's what fortiOS 6.4.0 produced and strictly with the 2 letter code of HR

     

    supports-MacBook-Pro:Downloads ken$ openssl req -in forum.csr -noout -text 

    Certificate Request:

        Data:

            Version: 0 (0x0)

            Subject: C=HR, ST=someregion, L=somecity, O=socpuppets, OU=socpuppets forum emnoc, CN=test@null.com

            Subject Public Key Info:

     

     

    2> Here's what 6.2.4 produced 

     

    supports-MacBook-Pro:Downloads ken$ openssl req -in "forum (1).csr" -noout -text

    Certificate Request:

        Data:

            Version: 0 (0x0)

            Subject: C=HR, ST=some province, L=somecity, O=socpuppets, OU=socpuppets test of HR, CN=again@null.com/emailAddress=hahah@null.com

            Subject Public Key Info:

                Public Key Algorithm: rsaEncryption

                    Public-Key: (2048 bit)

     

    In both cases, the two-letter ISO code of HR was used. This fit their webpage list of codes.

     

    https://www.rapidsslonline.com/blog/ssl-certificate-country-codes-for-csr/

     

    Did you ask support form rapid-ssl? and for assistance?

     

    BTW you have a beautiful country I been to Osijek and just loved the area and the people.

     

    Ken Felix

    Terms & ConditionsAccessibility statement