DescriptionIn
the FortiGate GUI, the Subject Alternative Name text field does allows multiple items to
be entered (comma delimited), the text field itself has a 60 character
limit. Considering that each SAN entered also needs an Identifier, this
limit can be easily hit in just a name or two.
This
article explains how to generate a CSR in the FortiGate CLI instead in order to
overcome this limit.
Solution
To get around this limitation when needed, you
can use the 'execute vpn certificate [store] generate [...]' CLI command. This
command is run from Global when VDOMs are in use.
Command Syntax
execute vpn certificate [store] generate [encryption_method]
[cert_name] [key_size] [CN] [Country] [State/Province] [Org] [City] [OU]
[email] [SANs - optional]
Command Options
store: ca, crl, local, remote
encryption_method: rsa, ec
cert_name: Name for Certificate, purely meant as an indentifier
key_Size: Key Encyrption Size, Options are 1024, 1536, and 2048
CN: Common Name, the name the certificate is signed for
Country: Country name or Country Code
State/Province: State or Province Name
Org: Organization Name
City: City Name
OU: Organizational Unit, similar to Directories in a Directory Service
email: Email address for IT Contact
SANS: Other accepted names, should include CN if CN is to be accepted
SAN Syntax
Email: email:admin@companyname.com
IP Address: IP:1.1.1.1
URL: URI:http://companyname.com
DNS Name: DNS:www.companyname.com
Example
execute vpn certificate local generate rsa test_cert
2048 companyname.com CA Ontario Ottawa IT,Certificates
admin@companyname.com DNS:companyname.com,DNS:www.companyname.com,DNS:vpn.jason.com
Certificate Name: test_cert
Key Size: 2048
CN: companyname.com
Country: CA (Canada)
State/Province: Ontario
City: Ottawa
OU: <root> > IT > Certificates
Email: admin@companyname.com
SANS:
>DNS Name=companyname.com
>DNS Name=www.companyname.com
>DNS Name=vpn.companyname.com
Related Articles
Generate CSR via CLI when Subject Alternative Name field is long (FortiOS 5.0)
