Skip to main content
JP20xx
JP20xx
New Member
July 1, 2022
Question

Sing a fortigate CSR with OpenSSL (Linux)

  • July 1, 2022
  • 2 replies
  • 2571 views

Im trying to sign a CSR generated by a Fortigate FW. Unfortunately the signed certificate does not show as an option in the SSL inspection profile. Does anyone knows the how to sign the CSR with OpenSSL/Linux?

2 replies

kcheng
Staff & Editor
kcheng
Staff & Editor
July 1, 2022

Hi @JP20xx 

 

In order to use a certificate for SSL inspection profile (whether it is certificate inspection/deep inspection), the respective certificate has to be a sub-CA certificate. This means that the certificate will need to have the Basic Constraints stating CA:TRUE. Some references that you can find in our community explain the respective:

https://community.fortinet.com/t5/FortiGate/Technical-Note-SSL-inspection-on-multiple-FortiGates-using-the/ta-p/195068

https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/518006/using-a-ca-signed-certificate

 

I've not personally tried creating a sub-CA certificate using OpenSSL, but the following third-party steps look legit to me. You may want to give it a check:

https://mivilisnet.wordpress.com/2020/06/03/how-to-make-subordinate-ca-using-openssl/

    lestopace
    Staff
    lestopace
    Staff
    July 3, 2022

    https://community.fortinet.com/t5/FortiGate/Technical-Tip-Generate-and-sign-certificates-using-OpenSSL-in/ta-p/208899

    If I'm not mistaken, you just need to follow step 1 then upload it to your FortiGate as CA certificate along with the private key.

     

    Terms & ConditionsAccessibility statement