Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
cramirez
Staff
Staff

Created on ‎02-04-2016 08:56 AM Edited on ‎05-19-2025 12:55 AM By Community Manager

Article Id 194832

Technical Tip: How to sign a CSR on FortiAuthenticator

Description

This article describes how  FortiAuthenticator can be used to sign a Certificate Sign Request (CSR) generated by other device like a FortiGate.

 

Scope

 

FortiAuthenticator, FortiGate. 

 

Solution

 

1. Generating CSR file by FortiGate.

  • Go to System -> Certificate, select Create/Import -> Generate CSR.

 

110.png

 

  • Set Certificate Name.
  • Select ID Type. You can select: 'Host IP', 'Domain Name' or 'E-Mail'.

 

Optional Information:

  • Organization Unit.
  • Organization.
  • Locallity(City).
  • State / Province.
  • Country / Region.
  • Email.
  • Subject Alternative Name.
  • Password for private key.

 

Select:

  • Key Type.
  • Key Size.
  • Select Enrollment Method: File Based.
  • Select 'OK'.

 

111.png

 

  • FortiGate shows this certificate file as 'Local Certificate' and Status: 'Pending'.

 

112.png

 

  • Select the CSR File, download, and save.

 

csr.example.png

2. Generating FortiAuthenticator Certificate Autority (CA).

  • Go to Certificate Management -> Certificate Authorities -> Local CAs -> Create New.

 

113.png

 

  • Set Certificate ID.
  • Select Certificate Authority Type: Root CA
  • Select Subject input method.
  • Complete Subject Information.
  • Select Key And Signing Options.

 

Optional:

  • Subject Alternative Name (SAN).
  • Advanced Options: Key Usage.
  • Certificate Revocation List (CRL).
  • Select 'Save'.

 

114.png

 

115.png

 

  • To sign a CSR navigate to Certificate Management -> End Entities -> Users and select Import.
  • Select Type: CSR to sign.
  • Set Certificate ID.
  • Upload CSR File created by Fortigate: CSR_FILE.csr
  • Select the Certificate Authority created: FAC_CA
  • A Subject Alternative Name can be specified. Note that FortiAuthenticator only supports email and User Principal Name(UPN). 
  • Select Import.

 

116.png

 

Note:

If a CSR is imported with a Subject Alternative Name as DNS or other fields, which is signed by the FortiAuthenticator. Those fields (Subject Alternative Name) will be deleted. Try to sign those CSRs with another CA.

  • Also, the purpose of this certificate can be selected, and the key usages needed.

  

117.png

 

  • Go to Certificate Management -> End Entities -> Users, select file and 'Export Certificate'.
  • The type of this file will be: Security Certificate (.cer)
  • File name: Certificate.cer
  • Download and save.

 

Importing Signed File: Security Certificate (.cer) to FortiGate

  • Go to System -> Certificate -> Create/Import -> Select: 'Certificate' -> Import Certificate.

 

118.png

 

  • Select Type: 'Local Certificate'.
  • Certificate file: Certificate.cer
  • Select 'Create'.

 

119.png

 

120.png

 

  • After importing Certificate.cer to FortiGate, 'CSR_FILE' with status 'Pending' will change to status 'Valid'.

 

121.png

 

 

  • It is possible to import CA created 'FAC_CA' file to FortiGate if needed.

 

For more details regarding the Certificate, refer to the documents below:

FortiGate Administration Guide / Certificate

FortiAuthenticator Administration Guide / Certificate

5841
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.