Description
This article describes how to issue a certificate with the Microsoft certification authority for FortiAuthenticator, usable for EAP on RADIUS.
Related links.
https://docs.fortinet.com/document/fortiauthenticator/6.0.0/cookbook/277150/creating-a-local-service...
https://docs.fortinet.com/document/fortiauthenticator/6.0.0/cookbook/32415/configuring-radius-eap-on...
Solution
1) Go to Certificate Management -> End Entities -> Local Services and select 'Create New'.
2) Create CSR with FAC FQDN in 'Name (CN) field' and issuer 'Third-party CA' to be used for generating the certificate.
3) After creating CSR, it will be visible in the list like below:
4) Select the CSR and select 'Export Certificate' which will download the CSR in the browser as a file.
5) Go to 'Microsoft Enterprise Certification Authority' server on link 'http://X.X.X.X/certsrv/' or 'https://X.X.X.X/certsrv/' (replace X.X.X.X with IP or FQDN from the MS ECA server) and sign in with administrative account.
6) Select 'Request a Certificate' and select 'advanced certificate request'.
7) Open CSR request “EAP_Cert.csr” with notepad, select all text and paste it to MS ECA the 'Saved Request:' field from previous step.
The copied text must include the header and footer line, for example:
-----BEGIN CERTIFICATE REQUEST-----
MIIC8TCCAdkCAQAwgYUxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVTdGF0ZTENMAsG
…
Fpuh0HJdhQA7TraEOCrE91KgaGqnIu9IPgaVyXJkpryg9KrVAyIaY6zErNDxTOUF
sOQ7q4+aGgx2WW2dduTyCHedTapae4c5xdAIL1i76LPDPO4IOg==
-----END CERTIFICATE REQUEST-----
8) Select 'Web Server' in 'Certificate Template': field and select 'Submit'.
9) Select 'Base 64 encoded' and select 'Download certificate'.
10) Return to 'Microsoft Enterprise Certification Authority' server on link 'http://X.X.X.X/certsrv/' or 'https://X.X.X.X/certsrv/' and select 'Download a CA certificate, certificate chain, or CRL'.
11) Select the root CA server under 'CA certificate'.
12) Select 'Base 64' under 'Encoding method'.
13) Select 'Download CA certificate' which will download the root CA certificate in the browser.
14) Go to the FortiAuthenticator GUI administration page and import the root CA certificate to Certificate Management -> Certificate Authorities -> Trusted CAs.
15) After the root CA certificate is successfully imported it looks like example below:
16) Go to Certificate Management -> End Entities -> Local Services and import certificate that was issues for 'EAP_Cert.csr' as 'Local Certificate'.
17) After the EAP certificate is successfully imported it looks like example below:
18) Go to Authentication -> RADIUS Service -> EAP and under 'EAP Server Certificate', select EAP_Cert and under 'Trusted CAs', select the imported root CA certificate.