Description
This article describes how to sign certificate with Subject Alternate Name for FortiGate admin GUI by FortiAuthenticator.
Scope
FortiAuthenticator.
Solution
Assign the local certificate to the FortiGate admin interface after signing the same on FortiAuthenticator.
If the user has both FortiGate and FortiAuthenticator and if this user wishes to sign the certificate on FortiAuthenticator (FortiAuthenticator acts as certificate authority) and import to FortiGate and configure for FortiGate admin GUI, after signing the certificate, after installing the CA certificate on browser store or local system and try to access the FortiGate admin GUI interface on chrome, 'Invalid Certificate' message will appear.
This is because of incorrect SAN.
Configuration
If the certificates feature is not available under System, then enable the feature from System -> Feature Visibility -> Certificates and select 'Apply'.
Generating CSR certificate on FortiGate.
Important reminders when creating CSR: Make sure that it is filled in the required information. For this example, an IP address for GUI access is used, but it is possible to use a Domain Name too if FortiGate is accessed via FQDN or DNS.
For the Subject Alternative Name (SAN), make sure that the parameters are correct. For FQDN, use DNS:Your-FQDN, and for IP, just add the IP Address:Your-IP.
Use a comma and space to add more entries. The final look should be like this: DNS:fgt.fortinet.com, IP Address:10.5.20.141. Afterwards, select 'Okay.'
Once it is generated the status will show as 'Pending. Download 'FortiGate_Admin.csr' certificate to get it signed by FortiAuthenticator.
Generating CA certificate on FortiAuthenticator.
Once FortiGate_FAC CA is created, export the same.
Sign the CSR 'FortiGate_Admin.csr' on FortiAuthenticator going to Certificate Authorities -> End Entities -> User -> Import.
Sign the CSR 'FortiGate_Admin.csr' on FortiAuthenticator going to Certificate Authorities -> End Entities -> User -> Import.
Once it is signed, then export the 'FortiGate_Admin.cer' from Certificate Authorities -> End Entities -> User -> Export Certificate.
Import the 'FortiGate_Admin.cer' certificate on FortiGate Under System -> Certificates -> Import -> Local Certificate -> Upload, select 'FortiGate_Admin.cer', if the certificate generated correctly it will import without any issues, and the status will change to 'Active' now.
Import the 'FortiGate_FAC.ca' under System -> Certificates -> Import -> CA certificate -> File, select the 'FortiGate_FAC.ca' and import.
Assign the 'FortiGate_Admin.cer' to FortiGate admin interface from System -> Settings -> HTTPS server certificate, select 'FortiGate_Admin' and apply.
Install the 'FortiGate_FAC.ca' certificate on end user system under 'Trusted Root Certification Authorities', for Mozilla Firefox requires manual import of the certificate.
Now try to access the FortiGate over https://10.5.20.141 , and do not notice any certificate warning messages.
Generate the certificate using below CLI command and then sign with FortiAuthenticator.
Execute VPN certificate [store] generate [encryption_method] [cert_name] [key_size] [CN] [Country] [State/Province] [Org] [City] [OU] [email] [SANs - optional].
Import the 'FortiGate_Admin.cer' certificate on FortiGate Under System -> Certificates -> Import -> Local Certificate -> Upload, select 'FortiGate_Admin.cer', if the certificate generated correctly it will import without any issues, and the status will change to 'Active' now.
Import the 'FortiGate_FAC.ca' under System -> Certificates -> Import -> CA certificate -> File, select the 'FortiGate_FAC.ca' and import.
Assign the 'FortiGate_Admin.cer' to FortiGate admin interface from System -> Settings -> HTTPS server certificate, select 'FortiGate_Admin' and apply.
Install the 'FortiGate_FAC.ca' certificate on end user system under 'Trusted Root Certification Authorities', for Mozilla Firefox requires manual import of the certificate.
Now try to access the FortiGate over https://10.5.20.141 , and do not notice any certificate warning messages.
Generate the certificate using below CLI command and then sign with FortiAuthenticator.
Execute VPN certificate [store] generate [encryption_method] [cert_name] [key_size] [CN] [Country] [State/Province] [Org] [City] [OU] [email] [SANs - optional].
When 'Subject Alternative Name' configured with DNS.
Related article:
Technical Note: FortiGate - Generate CSR via CLI when Subject Alternative Name field is long
