|
Description |
This article explains the format to properly add the SAN (Subject Alternative Name) while generating CSR (Certificate Signing Request). |
|
Scope |
FortiGate, FortiProxy. |
|
Solution |
Using GUI:
The CSR can be generated from System -> Certificates -> Create/Import -> Generate CSR Fill in the required details and mention the SAN in the below format, for example:
DNS:domain1.com IP:1.2.3.4
If multiple entries need to be added, they should be separated by a comma, with no space in between.
For example: DNS:domain1.com,DNS:domain2.com,IP:1.2.3.4.
The CSR can be validated by using OpenSSL or any other third-party tool.
C:\Program Files\OpenSSL-Win64\bin>openssl req -text -noout -verify -in cert-mydomain.csr verify OK Certificate Request: Data: Version: 1 (0x0) Subject: ST = Dubai, L = Dubai, O = mydomain, OU = support, CN = mydomain.com, emailAddress = support@mydomain.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:c0:ed:69:80:9c:10:b4:22:3d:9d:72:1e:41:31: 12:6e:93:a6:da:fc:7a:b0:43:c1:f3:36:37:f6:a3: 1e:50:0b:9b:86:9d:06:34:9b:07:72:3b:29:dc:17: eb:bb:90:81:8d:2b:9b:c7:0b:5c:96:17:61:46:01: 1e:d7:1c:48:b7:8b:f9:02:f1:7f:f8:68:a5:c9:8d: c3:b1:b2:44:37:71:22:f7:9e:17:f5:5d:36:ae:ab: fa:27:d5:ef:23:00:1f:6c:ee:bc:d4:5f:47:c1:66: ff:18:67:11:f0:8a:a7:c2:27:4c:7e:a1:f6:8c:bb: 9b:16:cd:c7:45:21:c5:d5:f0:49:aa:58:28:5d:c3: 0e:aa:3b:e7:d3:51:72:06:1c:86:fa:f3:1d:1c:1e: 25:85:17:31:c2:a7:b9:f2:f8:a1:7b:9e:a7:4b:74: 59:8d:7d:ed:0c:18:49:c5:fd:84:b5:e7:87:3d:fc: e2:9f:7b:20:74:ef:70:4a:33:11:c2:de:f2:2d:ab: 9c:71:b6:19:46:f2:b4:65:45:9f:8a:05:16:40:e1: 3b:27:13:da:47:f6:57:ca:00:30:ec:b1:d2:8f:9a: 34:03:04:e0:7e:40:ef:59:1a:94:b1:1e:3f:67:e3: 76:6e:4e:a3:7b:42:0e:3d:a1:07:0f:af:d9:b9:ed: 8e:49 Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Subject Alternative Name: DNS:domain1.com X509v3 Key Usage: Digital Signature, Key Encipherment Signature Algorithm: sha256WithRSAEncryption 75:05:17:8d:7f:63:72:b0:47:d8:06:39:ca:24:a7:88:e8:25: 16:f5:3c:ff:d7:4c:40:d5:b2:88:25:93:af:20:52:3a:5b:ee: 3f:ca:6d:94:bc:fd:df:e7:a6:a4:f1:a8:d3:21:cb:2a:26:c3: 3c:49:5c:62:88:ee:4a:59:38:96:e9:50:57:ef:8d:d1:69:0e: 59:98:f5:e1:d1:2c:5a:76:4a:ee:40:a1:86:5f:89:69:93:53: 5a:3a:a9:c4:a1:66:9b:55:bd:8e:93:24:e3:80:71:50:60:ad: b3:96:a5:bd:84:f6:4f:fa:5c:52:f4:cd:ab:18:fc:fc:43:d9: b5:f5:75:91:95:59:5f:a7:03:61:16:b8:11:4f:87:6e:d7:28: 70:34:40:8d:12:2b:41:73:81:ec:50:28:f6:1b:59:83:3a:28: 14:33:dc:71:5b:b4:d0:e6:78:02:e7:a5:41:40:56:b1:46:bd: c5:dd:c8:03:c4:1a:16:b5:e4:3a:63:63:e8:1b:e7:57:8b:29: b3:3d:b6:c9:88:3a:2e:2b:79:a2:e1:3c:1a:42:d0:95:1b:a0: 36:8f:83:2c:3b:59:e0:b9:b0:9b:15:33:60:f8:51:d6:d3:23: 2a:c9:9d:13:5f:08:59:51:1b:f3:ab:34:0c:1c:a5:3f:71:3a: 78:d5:a4:ca
Using CLI:
To generate a CSR from the FortiGate CLI, the following command can be used –
'execute vpn certificate [store] generate [...]'
Command Syntax:
execute vpn certificate [store] generate [encryption_method] [certificate_name] [key_size] [Host IP/Domain Name/E-Mail] [Country Name or Code] [State/Province] [City] [Organization] [Organization Unit] [Email] [SANs - optional] [URL of the CA server for signing via SCEP (optional)]
Example:
execute vpn certificate local generate rsa Domain1 2048 mydomain.com CA ON Ottawa mydomain support support@mydomain.com DNS:domain1.com
In this specific example above, CN = mydomain.com and SAN = domain1.com.
Related article: |
