Technical Tip: Certificate Generation with FIPS Enabled on FortiAnalyzer and FortiGate

This article describes how to create a certificate with the minimum requirements outlined in this Technical Tip when FIPS mode is enabled: Technical Tip: FortiGate is not able to send logs ... - Fortinet Community.

This example will illustrate the creation of 5 files: ca-script.sh, client.conf, root-ca.conf, server.conf and sub-ca.conf. Each file contains just the minimum requirements for FIPS mode. All files must reside within the same directory.

OpenSSL must be installed on Linux OS.

ca-script.sh:

#!/bin/bash

### root CA

mkdir certs
cp root-ca.conf certs/
cp sub-ca.conf certs/
cp server.conf certs/
cp client.conf certs/
cd certs
touch index.root
openssl rand -hex 16  > serial.root
echo 1001 > crlnumber.root

openssl req -new -config root-ca.conf -out root-ca.csr -keyout ca.key
openssl ca -selfsign -config root-ca.conf -in root-ca.csr -out ca.crt -extensions ca_ext -batch

### sub CA

touch index.sub
openssl rand -hex 16 > serial.sub
echo 2001 > crlnumber.sub

openssl req -new -config sub-ca.conf -out sub-ca.csr -keyout int1.key
openssl ca -config root-ca.conf -in sub-ca.csr -out int1.crt -extensions sub_ca_ext -batch

openssl req -new -config server.conf -out server.csr -keyout server-rsa.key
openssl ca -config sub-ca.conf -in server.csr -out server-rsa.crt -extensions server_ext -batch

openssl req -new -config client.conf -out client.csr -keyout client-rsa.key
openssl ca -config sub-ca.conf -in client.csr -out client-rsa.crt -extensions client_ext -batch

#cat ca.crt int1.crt > cachain.crt

rm crlnumber.*
rm index.*
rm serial.*
rm *.csr
rm *.conf
rm *.pem
 
cd ..

client.conf:

[ default ]
SAN                     = DNS:oftp-client.example.com    # Default value
                        # IP:<ip-address>, if use IP address

[ req ]
default_bits            = 2048                  # RSA key size
encrypt_key             = no                   # Protect private key
default_md              = sha256                # MD to use
utf8                    = yes                   # Input is UTF-8
string_mask             = utf8only              # Emit UTF-8 strings
prompt                  = no                    # Prompt for DN
distinguished_name      = server_dn             # DN template
req_extensions          = server_reqext         # Desired extensions

[ server_dn ]
countryName        = "GB"
organizationName    = "Example"
commonName        = "oftp-client.example.com"        # <ip-address>, if use IP address

[ server_reqext ]
basicConstraints    = critical,CA:false
keyUsage                = critical,digitalSignature,keyEncipherment
extendedKeyUsage        = serverAuth,clientAuth
subjectAltName          = $ENV::SAN

server.conf

[ default ]
SAN                     = IP:172.25.176.12    # Default value
                        # IP:<ip-address>, if use IP address

[ req ]
default_bits            = 2048                  # RSA key size
encrypt_key             = no                   # Protect private key
default_md              = sha256                # MD to use
utf8                    = yes                   # Input is UTF-8
string_mask             = utf8only              # Emit UTF-8 strings
prompt                  = no                    # Prompt for DN
distinguished_name      = server_dn             # DN template
req_extensions          = server_reqext         # Desired extensions

[ server_dn ]
countryName        = "GB"
organizationName    = "Example"
commonName        = "172.25.176.12"        # <ip-address>, if use IP address

[ server_reqext ]
basicConstraints    = critical,CA:false
keyUsage                = critical,digitalSignature,keyEncipherment
extendedKeyUsage        = serverAuth,clientAuth
subjectAltName          = $ENV::SAN
 

root-ca.conf

[default]
name                    = ca
domain_suffix           = example.com
default_ca              = ca_default
name_opt                = utf8,esc_ctrl,multiline,lname,align

[ca_dn]
countryName             = "GB"
organizationName        = "Example"
commonName              = "Root CA"

[ca_default]
home                    = .
database                = $home/index.root
serial                  = $home/serial.root
crlnumber               = $home/crlnumber.root
certificate             = $home/$name.crt
private_key             = $home/$name.key
RANDFILE                = $home/random
new_certs_dir           = $home
unique_subject          = no
copy_extensions         = none
default_days            = 3650
default_crl_days        = 365
default_md              = sha256
policy                  = policy_c_o_match

[policy_c_o_match]
countryName             = match
stateOrProvinceName     = optional
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[req]
default_bits            = 2048
encrypt_key             = no
default_md              = sha256
utf8                    = yes
string_mask             = utf8only
prompt                  = no
distinguished_name      = ca_dn
req_extensions          = ca_ext

[ca_ext]
basicConstraints        = critical,CA:true
keyUsage                = critical,digitalSignature,keyCertSign,cRLSign

[sub_ca_ext]
basicConstraints        = critical,CA:true,pathlen:0
keyUsage                = critical,digitalSignature,keyCertSign,cRLSign
 

sub-ca.conf

[default]
name                    = int1
domain_suffix           = example.com
default_ca              = ca_default
name_opt                = utf8,esc_ctrl,multiline,lname,align

[ca_dn]
countryName             = "GB"
organizationName        = "Example"
commonName              = "Sub CA"

[ca_default]
home                    = .
database                = $home/index.sub
serial                  = $home/serial.sub
crlnumber               = $home/crlnumber.sub
certificate             = $home/$name.crt
private_key             = $home/$name.key
RANDFILE                = $home/random
new_certs_dir           = $home
unique_subject          = no
copy_extensions         = copy
default_days            = 365
default_crl_days        = 30
default_md              = sha256
policy                  = policy_c_o_match

[policy_c_o_match]
countryName             = match
stateOrProvinceName     = optional
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[req]
default_bits            = 2048
encrypt_key             = no
default_md              = sha256
utf8                    = yes
string_mask             = utf8only
prompt                  = no
distinguished_name      = ca_dn
req_extensions          = ca_ext

[ca_ext]
basicConstraints        = critical,CA:true,pathlen:0
keyUsage                = critical,digitalSignature,keyCertSign,cRLSign

[server_ext]
basicConstraints        = critical,CA:false
extendedKeyUsage        = clientAuth,serverAuth
keyUsage                = critical,digitalSignature,keyEncipherment

[client_ext]
basicConstraints        = critical,CA:false
extendedKeyUsage        = clientAuth
keyUsage                = critical,digitalSignature

Before running ./ca-script.sh to generate X509 certs for OFTP connection, edit the following file:

server.conf:

  SAN                     = IP:172.25.176.12 
  commonName        = "172.25.176.12"

If the intention is to use DNS:

  SAN                     = DNS:oftp-server.example.com
  commonName        = "oftp-server.example.com"

Replace 172.25.176.12 with the FortiAnalyzer's actual IP address.

Edit the permission file with the command chmod +x ca-script.sh on Linux OS. 

After running ./ca-script.sh, the following X509 certs/keys are generated:

• Root CA cert: ca.crt.
• intermediate CA cert: int1.crt.
• server cert / private key: server-rsa.crt, server-rsa.key.
• client cert / private key: client-rsa.crt, client-rsa.key.

Run the following commands to import 2 CA certs into FortiAnalyzer:

config system certificate ca

edit CA-1

set ca "..."            <- Copy and paste the content of ca.crt.

next

edit CA-2

set ca "..."            <- Copy and paste the content of int1.crt.

next

end  

Note: The content with the certificate starts with ------BEGIN CERTIFICATE------- and finishes with -----END CERTIFICATE-------.

Run the following commands to import a server certificate into FortiAnalyzer:

config system certificate local

edit oftp-server

set private-key "..."   <- Copy and paste the content of server-rsa.key.
set certificate "..."   <- Copy and paste the content of server-rsa.crt.

end

Run the following commands to import 2 CA certificates into FortiGate:

config vpn certificate ca

edit CA-1

set ca "..."  <- Copy and paste the content of ca.crt.

next

edit CA-2

set ca "..."  <- Copy and paste the content of int1.crt.

next

end  

If FortiAnalyzer runs in FIPS mode, upload the client certificate to the FortiGate. There are two ways to do this:

• Generate one certificate client for each device.
• Generate one certificate client for all of them.

In this example, just one certificate client will be used for all devices. To generate one certificate for each device, customize this script to create just the client certificate using the CA and Sub CA existents when running the script for the first time.

This is optional: If FortiAnalyzer runs in normal mode, the following configuration is NOT necessary.

Run the following commands to import the server certificate into FortiGate:

config vpn certificate local

edit oftp-client

set private-key "..."  <- Copy and paste the content of client-rsa.key.

set certificate "..."  <- Copy and paste the content of client-rsa.crt.

end

Related articles:

• Technical Tip: FortiGate is not able to send logs ... - Fortinet Community.
• Technical Tip: How to generate certificates using ... - Fortinet Community.
• Troubleshooting Tip: FortiGate to FortiAnalyzer co... - Fortinet Community.