There are three ways to generate a Certificate Signing Request (CSR) using FortiAuthenticator:

• User Certificate: A certificate signed by a third-party public CA, suitable for user certificates, client certificates, or local computer certificates.
• Local Service Certificates: These are server certificates signed by a third-party public CA and used by FortiAuthenticator itself. They can be applied to various services, such as:  
  • FortiAuthenticator System Access / Web Access.
  • EAP-Server Certificate.
  • RADSEC-Certificate.
  • LDAP-Server Certificate (when FortiAuthenticator acts as an LDAP server).
  • SAML-Identity Provider Certificate / SSO Services.
  • Syslog-SSO Certificate.

• Intermediate CA Signing Request: Used when an intermediate certificate issued by a public CA is required on FortiAuthenticator

Below is an example with steps for generating a CSR for FortiAuthenticator System Access/Web Access:

Navigate to Certificate Management → End Entities → Local Services → Create New.

Populate the required fields with the following:

• Certificate ID.
• Issuer (should be a third-party CA).
• Subject Information as specified below:

Subject Alternative Name and Key Signing Options must also be selected. It is important to notice that Common Name of certificate and Subject Alternative Name to be the same as FQDN of FortiAuthenticator

After creating the new certificate, its status will remain as Pending. To proceed, export the certificate, and a .csr file will be downloaded to the local PC.

The .csr file should be sent to the respective Public Certificate Authority (CA) for signing.

Once the signed certificate is received, navigate to End-Entities -> Local Services and import the certificate.

Typically, a .crt file is provided by the Public Certificate Authority (CA) for Local Services.

If a certificate with a private key is provided, select the following option: Type: Certificate and Private Key

After importing the certificate, the status can be checked, which should now display as 'Active'. Additionally, the Authority Key Identifier will indicate the Third-Party Issuer of the certificate:

This certificate can be associated by going to Administration -> System Access -> GUI Access -> HTTPS Certificate.

Note:

When configuring SSL/TLS certificates in FortiAuthenticator, it is important to understand the differences between using certificates signed by public Certificate Authorities (CAs) and those issued by a private CA. Each approach has specific benefits and considerations:

Using Public CA-Signed Certificates

• Certificates signed by public CAs are widely trusted and eliminate the need for manual configuration on user devices or browsers.
• Most operating systems and browsers include public CA root certificates in their trusted stores by default, ensuring seamless trust and compatibility.
• This approach is ideal for production environments or when FortiAuthenticator is exposed to external users, providing a hassle-free user experience.

Using Private CA-Signed Certificates

• Certificates signed by a private CA, such as FortiAuthenticator’s internal Certificate Authority, require additional setup.
• All endpoints accessing FortiAuthenticator must import the private CA’s root certificate into their trusted store to establish a secure connection.
• While this approach can save costs, it involves more administrative effort and is better suited for internal networks.

For queries about how FortiAuthenticator can sign other certificates, refer to Sign a CSR on FortiAuthenticator.