Skip to main content
Kingdaddee
Kingdaddee
New Member
October 18, 2019
Question

SSL Certificate Issue - Web Portal VPN

  • October 18, 2019
  • 2 replies
  • 3846 views

I cannot be the first to ever deal with this issue.  

Has anybody ever used a domain (sampledomain.net) and pointed it to their public facing IP address that the firewall is listening on to access the Web-VPN portal?  AND.... bought an SSL Cert and applied to the Firewall?  Validating a certificate by IP address is apparently extremely difficult.  Unless there is a better way.

2 replies

emnoc
emnoc
New Member
October 19, 2019

yes import the cert and ca-cert and call that cert up for the webportal. What're the issues that you're having? Did you do the CSR from the fortigate or from somewhere else?

 

Ken Felix

 

PierreBester
PierreBester
New Member
October 24, 2019

Hi Kingdaddee

 

We register a subdomain to our existing domain and added a DNS record for the VPN IP to point to the new subdomain (remoteconnection.sampledomain.net). We then generated a new cert for the subdomain and installed that on the fortigate and then selected that cert in the VPN settings. If im not mistaken you can generate a new cert and add the IP as a subject alternative name.

 

Regards

Pierre Bester

tinyadmin
tinyadmin
New Member
October 24, 2019

Hello Kingdaddee,

yes, we have a public signed certificate on our Fortigate, too.

In your case we used a linux computer with openssl tools, created a private key, created a CSR (certificate signing request) and ordered with this CSR a public signed certificate at a CA (certificate authority).

Nearly all of the CAs you can order www.example.com and you get the hostname example.com in the certificates for free...

After getting the signed certificate from the CA we imported this with the private key (stilled stored on the linux-system) on the Fortigate. I used the CLI with SSH (because you can define very simple a speeking name for the certificate/key handle), my coworker use the GUI.

The now created handle you can use for all SSL related configrations within your Fortigate or vdom.

 

Of course you need a DNS-record (A and/or AAAA) with the ip-address of the Fortigate. For testing a line with ip-address and hostname in etc/hosts-file works as well for this one source-system.

 

Thats all...

 

have fun with this

Tinyadmin

Terms & ConditionsAccessibility statement