This article describes how FortiGate validates the enhanced key usage on the certificate and decides whether the certificate can be chosen for different parts of the configuration.
FortiOS.
By default, a CSR generated by FortiGate does not include any enhanced key usage for the CA to sign. Here is an example of the CSR generated on the FortiGate:
The same CSR after the .csr file is decoded:
Data:
Version: 0 (0x0)
Subject: CN=10.128.202.29
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Attributes:
Requested Extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Alternative Name:
IP Address:10.128.202.29
X509v3 Key Usage:
Digital Signature, Key Encipherment
Signature Algorithm: sha256WithRSAEncryption
Therefore, the enhanced key usage field is set by the CA to define the purpose of the certificate and/or the template chosen by the signing server. In this example, the CA (FortiAuthenticator) defines the enhanced key usage to be ‘IPsec IKE Intermediate (end entity)’:
Once imported to FortiGate the following fields are displayed for the extensions field:
Extensions:
X509v3 Basic Constraints
CA:FALSE
X509v3 Subject Key Identifier
25:82:1B:35:0D:32:E8:D8:E3:85:39:69:CF:86:CB:B0:B8:09:98:55
X509v3 Authority Key Identifier
keyid:18:FD:97:3A:78:A3:89:DA:0B:AF:3E:25:10:23:E6:0A:D9:3F:F6:F9 DirName:/C=CA/CN=FAC.test.lab/emailAddress=admin@test.lab serial:14:AC:D4:8F:8F:2D:74:50
X509v3 Key Usage
Digital Signature, Key Encipherment
X509v3 Extended Key Usage
1.3.6.1.5.5.8.2.2
X509v3 CRL Distribution Points
Full Name: URI:http://10.21.4.177/app/cert/crl/top_level.crl
Authority Information Access
OCSP - URI:http://10.21.4.177:2560/
X509v3 Subject Alternative Name
IP Address:10.128.202.29
Since the purpose of this certificate is not for Server Authentication, the certificate (lab previously created) is not available to be chosen under SSL VPN settings or system settings:
However, it can be used under the Authentication method signature under the IPsec tunnel configuration since it has the necessary purpose:
In summary, when signing a CSR by a CA or using SCEP, it is important to confirm what extensions the CA is going to add to the public key of the certificate. If the enhanced key usage is configured for Server Authentication, then the certificate can be used for any purpose on FortiOS.
Related Article:
Troubleshooting Tip: A guide to FortiGate and certificate issues
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.