This article describes how to sign a CSR on FortiAuthenticator. FortiAuthenticator can be used to sign a Certificate Sign Request (CSR) generated by other device like a FortiGate.


1.       First, a Certificate Authority(CA) is required to sign certificates.

a.    Go to Certificate Management > Certificate Authorities > Local CAs  then create a new root CA.

2.       In order to sign a CSR go to Certificate Management > End Entities > Users and select Import.

a.    Select the CA created.

b.    A Subject Alternative Name can be specified. Note that FortiAuthenticator only supports E-Mail and User Principal Name(UPN). 

Note: If a CSR is imported with a Subject Alternative Name as DNS or other fields, which is signed by the FortiAuthenticator. Those fields (Subject Alternative Name) will be deleted. Try to sign those CSR with other CA.

c.    Also, the propose of this certificate can be selected, add the key usages needed.

3.       After sign the cert, it may be downloaded.