Description
This article describes how to use an externally signed certificate for FortiAuthenticator Web UI login.
Scope
FortiAuthenticator.
Solution
This solution discusses log in using FortiAuthenticator using externally signed certificates.
Import root CA.
Go to Certificate Management -> Certificate Authorities -> trusted CAs and select 'Import'.
This opens another page to choose any name for 'Certificate ID'. Select 'Choose File' to import .cer file.
Follow the same steps to import the intermediate CA.
Import signed certificate. Go to Certificate Management -> End Policies -> Local Services and select 'Import'.
Follow the same steps to import the intermediate CA.
Import signed certificate. Go to Certificate Management -> End Policies -> Local Services and select 'Import'.
Note.
FortiAuthenticator accepts PKCS12 certificate in .p12 format or .cer with key file.
Go to System -> Administration -> System Access -> HTTPS certificate.
Choose the domain certificate here that got signed from external CA.
This will be the certificate presented by FortiAuthenticator Web UI to the browser.
Go to Certificate Authority type, make sure to select Trusted CA in bullet options.
Go to Certificate Authority type, make sure to select Trusted CA in bullet options.
In 'CA certificate that issued the server certificate' option, select the imported intermediate CA (not root CA) certificate from the drop-down list.
Now log out the Web UI and log back in to test the implementation.
Troubleshooting:
If on import of a certificate in PFX or P12 file format encounter the following error message:
Unsupported cipher algorithm. This can happen if the PKCS12 file uses unsupported weak ciphers, e.g. RC2. Use the OpenSSL command 'openssl pkcs12 -info -in <file>' to view the file's ciphers on a computer.
Do exactly that and get more information about the file like this:
openssl pkcs12 -info -in fortilab.pfx -legacyTry to find the split certificate files that are private and public key, usually coming as .key file and as cer/crt/pem file. If having the PFX use OpenSSL to split the files as follows:
openssl pkcs12 -in fortilab.pfx -out fortilab.pem -nokeys -legacy -clcerts
openssl pkcs12 -in fortilab.pfx -out fortilab.key -nocerts -nodes -legacy It will ask each time for the passphrase, if any, and there will be no output, just a resulting file fortilab.pem and fortilab.key. Uploading these should work. If these are also not accepted, the key material itself is using outdated encryption.
Note:
Once the certificate referenced under System -> Administration -> System Access -> HTTPS certificate expires, it will not be seen under Certificate Management -> End Policies -> Local Services.
The renewed certificate needs to be imported to the device following step 4. Once the renewed certificate is imported certificate will reappear with the new expiry date.
Related document:
How this guide is organized
How this guide is organized
