Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
cramirez
Staff
Staff

Created on ‎02-04-2016 08:56 AM Edited on ‎10-26-2023 10:42 PM By Community Manager

Article Id 194832

Technical Tip: How to sign a CSR on FortiAuthenticator

Description

This article describes how to sign a CSR on FortiAuthenticator. FortiAuthenticator can be used to sign a Certificate Sign Request (CSR) generated by other device like a FortiGate.

 

1. Generating CSR file by Fortigate.

 

  • Go to System -> Certificate, select Create/Import -> Generate CSR.

 

110.png

 

  • Set Certificate Name.
  • Select ID Type. You can select: 'Host IP', 'Domain Name' or 'E-Mail'.

Optional Information:

 

  • Organization Unit.
  • Organization.
  • Locallity(City).
  • State / Province.
  • Country / Region.
  • Email.
  • Subject Alternative Name.
  • Password for private key.

Select:

  • Key Type.
  • Key Size.
  • Select Enrollment Method: File Based.
  • Select 'OK'.

 

111.png

 

  • Fortigate show this certificate file as 'Local Certificate' and Status: 'Pending'.

112.png

 

  • Select CSR File, download and save.

2. Generating FortiAuthenticator Certificate Autority (CA).

 

  • Go to Certificate Management -> Certificate Authorities -> Local CAs -> Create New.

113.png

 

  • Set Certificate ID.
  • Select Certificate Authority Type: Root CA
  • Select Subject input method.
  • Complete Subject Information.
  • Select Key And Signing Options.

Optional:

  • Subject Alternative Name.
  • Advance Options: Key Usage.
  • Certificate Revocation List (CRL).
  • Select 'Save'.

114.png

 

115.png

 

  • In order to sign a CSR go to Certificate Management -> End Entities -> Users and select Import.
  • Select Type: CSR to sing.
  • Set Certificate ID.
  • Upload CSR File created by Fortigate: CSR_FILE.csr
  • Select the Certificate Authority created: FAC_CA
  • A Subject Alternative Name can be specified. Note that FortiAuthenticator only supports E-Mail and User Principal Name(UPN). 
  • Select Import.

116.png

 

 

  • Note: If a CSR is imported with a Subject Alternative Name as DNS or other fields, which is signed by the FortiAuthenticator. Those fields (Subject Alternative Name) will be deleted. Try to sign those CSRs with other CA.
  • Also, the purpose of this certificate can be selected, and the key usages needed

  

117.png

 

  • Go to Certificate Management -> End Entities -> Users, select file and 'Export Certificate'.
  • The type of this file will be: Security Certificate (.cer)
  • File name: Certificate.cer
  • Download and save.

3. Importing Signed File: Security Certificate (.cer) to Fortigate

 

  • Go to System -> Certificate -> Create/Import -> Select: 'Certificate' -> Import Certificate.

 

118.png

 

  • Select Type: 'Local Certificate'.
  • Certificate file: Certificate.cer
  • Select 'Create'.

119.png

 

120.png

 

  • After importing Certificate.cer to FortiGate, 'CSR_FILE' with status 'Pending' will change to status 'Valid'.

 

121.png

 

 

  • It is possible to import CA created: 'FAC_CA' file to FortiGate if needed.

To know about the Certificate, refer to the below documents:

Fortigate Administration Guide / Certificate

FortiAuthenticator Administration Guide / Certificate

5598
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.