FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mclegg
Staff
Staff
Article Id 189597
Description
This article explains how to create an elliptic curve certificate signing request.

Solution
1. Use the following CLI command to create the CSR using Elliptic Curve:
exec vpn certificate local generate ec <CERTNAME> secp521r1 <cn.name> C ST C O U email

For example:
exec vpn certificate local generate ec testcert secp521r1 test.com DE HE FFM TAC FORTINET test@fortinet.com

2. Check the CSR:
config vpn certificate local
edit testcert
get
name                : testcert
password            : *
comments            :
private-key         : *
certificate         :
csr                 : csr exist
state               : Pending
scep-url            :
range               : global
source              : user
source-ip           : 0.0.0.0
ike-localid-type    : asn1dn

3. Use the full-configuration command to show the CSR (marked in blue).

(testcert) # show full-configuration
config vpn certificate local
    edit "testcert"
        set password ENC 7+sX8SSqTGroH3tKcfM9QvBzCB6g6wD22izElK47UMRsTxfJfCrZ2KRHXIPOcMwnlmssLKKmzgx/pDS1B
+puqUPMjH9lCcJsjYHbe8rzllZhERRxSPQU4TFj/OQkr8GPWgVO6+r6kB0+q9cs0ee3ong0PyXcVOLM9VUPYU1HR9TsrcUmowLm53Q0LXE
        set comments ''
        set private-key "-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIBPTBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIqNC+9Md57UsCAggA
MBQGCCqGSIb3DQMHBAjs1nrnI5rWPASB+N0vmkGCaUL31P4uJVVBLo/L1dBQVK8h
/9FBrXR/6Uc6YemvsvnMqt54c8YmtwgZ7hZfFgrrBdxCRgWGvXsFi+2U8Do560Wh
2XThEVoGvkVlmtqnbrOJLgOtBnAvReLdvp96kzynN6mY+QlGt8qBzBbfFokHtPvE
oCvYdu+3vBo1DRtD4ybopBvuq+1AI+pjzxydoYMP9a9r4wzvnWdwvPFRajSkWPkv
HP7urzdP/4FHg1ASJm2tScEzdxQuv3HP2lPUvZy3sDdcV4wtJyitTDf3CTjoCCgP
idOmRebyLWlL4ChGCZcu8m0P4IZlPnnvsuRZr61tY/0F
-----END ENCRYPTED PRIVATE KEY-----"
        unset certificate
        set csr "-----BEGIN CERTIFICATE REQUEST-----
MIIB6jCCAU0CAQAwfzELMAkGA1UEBhMCREUxDDAKBgNVBAgTA1JMUDEMMAoGA1UE
BxMDRkZNMQwwCgYDVQQKEwNUQUMxETAPBgNVBAsTCEZPUlRJTkVUMREwDwYDVQQD
EwhtYXR0LmNvbTEgMB4GCSqGSIb3DQEJARYRdGVzdEBmb3J0aW5ldC5jb20wgZsw
EAYHKoZIzj0CAQYFK4EEACMDgYYABAAWAY/JJtM8lOvk43gcFS+K8IOUPIpGgJMt
jPppsY2RRgZKxskTfWtTSWQTY3YyaqeNDqg/Apss1sW5Kb2ledULZwHH3Hs7g9LL
IBQWabmDuY3TXd/3lXzxOD60iDlvUAAM/U5Xo7++efa58kXYX6PdvWXFrMAgCYDV
8Ap15cLNylHiUKApMCcGCSqGSIb3DQEJDjEaMBgwCQYDVR0TBAIwADALBgNVHQ8E
BAMCBaAwCgYIKoZIzj0EAwIDgYoAMIGGAkEXXmvzOhzOS9VpT60VXPZakEA3271H
VbgG3rwtCogwW7lEp6PllrvGNd++Puw6lN3OCof14zA6YK3Jd1vSEONVmgJBWc7T
0Xv5y/Dd3EovDEFFgTQAmlEz92B//tAOIcVgZ4Yt8X6bAYKTiwqxxfzvuCczxy9G
8HkMK3RqHNpKAEOd4FE=
-----END CERTIFICATE REQUEST-----"

        set scep-url ''
        set range global
        set source user
        set source-ip 0.0.0.0
        set ike-localid-type asn1dn
    next
end

4.    Copy the CSR text (marked in blue) and send it to the Certificate Authority for signing.

Contributors