FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jmacdonaldplante
Article Id 196609

Description

 

This article explains how to generate a CSR in the FortiGate CLI.

 

 

Solution

 

To generate a CSR from the FortiGate CLI, the following command can be used –

'execute vpn certificate [store] generate [...]'

 

Command Syntax:

 

execute vpn certificate [store] generate [encryption_method] [certificate_name] [key_size] [Host IP/Domain Name/E-Mail] [Country Name or Code] [State/Province] [City] [Organization] [Organization Unit] [Email] [SANs - optional] [URL of the CA server for signing via SCEP (optional)]

 

 

Command Options:

 

 

store: ca, crl, local, remote
encryption_method: rsa, elliptic curve
cert_name: Name for Certificate, purely meant as an indentifier
key_Size: Key Encyrption Size, Options are 1024, 1536, 2048, 4096
Host IP/Domain Name/E-Mail: Common Name, the name the certificate is signed for
Country: Country name or Country Code such as CA (Canada)
State/Province: State or Province Name such as BC (British Columbia)
City: City Name
Organization: Organization Name
Organization Unit: Organizational Unit, similar to Directories in a Directory Service
Email: Email address for IT Contact
SANS: Other accepted names, should include CN if CN is to be accepted

SAN Syntax

Email: email:admin@companyname.com
IP Address: IP:1.1.1.1
URL: URI:http://companyname.com
DNS Name: DNS:www.companyname.com

Note - Multiple SANs should be separated by comma (,) and without a space such as DNS:www.companyname.com,DNS:www.companyname1.com,DNS:www.companyname2.com

SCEP: URL of the CA server for signing via SCEP

 

Example:

 

 

# execute vpn certificate local generate rsa TestCSR 2048 companyname.com CA ON Ottawa Fortinet HR admin@companyname.com DNS:companyname.com,DNS:companyname1.com

 

Field Values -

Certificate Name: TestCSR
Key Size: 2048
CN: companyname.com
Country: CA (Canada)
State/Province: ON (Ontario)
City: Ottawa
Organization: Fortinet
OU: HR
Email: admin@companyname.com
SANS:
>DNS Name=companyname.com
>DNS Name=companyname1.com

 


Important Notes

 

1) Multiple values to a field can be entered by a using a comma (,) without using a space. For example:


AdditionalEmails.png

 

When using a comma the FortiGate give us an option to add another email instead of the next field.

 


2. Every field is separated by a space which indicates a start of the next expected field in the syntax. So, if given a space while providing multiple values for a single field, the FortiGate will put the value in the next field. For example - 
spaceindns.png

 

By putting a space after a comma (,) in the SAN field, the FortiGate expects SCEP instead of another DNS name.

If multiple SANs are added with a space after the comma, it will produce the following error -

FailedCA.png

 

This is expected because now the FortiGate is expecting DNS:companyname1.com as SCEP value instead of the SAN. 

 

3. Once the CSR is generated successfully, a CSR decoder tool can be used to confirm the values of each field. Download the CSR > Open using a text editor > Copy and paste the content in a CSR decoder. For example - 

CSRdecoder.png