Description
This article describes how to generate a web server certificate for the FortiManager or FortiAnalyzer using Windows PKI. This article covers how to set a server certificate installed on the FortiManager/FortiAnalyzer so that a trusting connection can occur.
Solution
Generate a CSR toward the Certificate Authority as follows:
A SAN or subject alternative name is a formatted way to indicate all of the domain names and IP addresses that are secured by the certificate
For Chrome 58 and later, only the subjectAlternativeName extension, not commonName, is used to match the domain name and site certificate
Give the Subject Alternative Name "SAN" domain name and IP without spaces and separated by a comma.
A name can be:
A name can be:
e-mail address.
IP address.
URI.
DNS name (alternatives to the Common Name).
directory name (alternatives to the Distinguished Name).
IP address.
URI.
DNS name (alternatives to the Common Name).
directory name (alternatives to the Distinguished Name).
Precede the name with the name type. Examples:
For example: DNS:fortinet.com,IP:1.1.1.1
Select Download to get the CSR.
Extract the CSR and export it to the CS Certificate Authority.
Connect to the Certificate Authority.
Select Request a Certificate and advance certificate request.
'Copy and paste' the CSR request and use Web Server as Certificate Template as follows:
Download the certificate.
Download the generated certificate on the FortiManager or FortiAnalyzer.
The status of the certificate is now OK, as follows:
It is possible to install the root CA on the management station so that the Web Server can be validated.
To download the CA certificate, navigate to the certsrv and choose 'Download a CA certificate' and then 'Download CA certificate'.
Then use the imported Certificate in the FortiManager or FortiAnalyzer:
config system admin setting
set admin_server_cert "FMG-Cert"
end
set admin_server_cert "FMG-Cert"
end
Once completed, import it into the CA repository.
Related articles:
