Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mdibaee
Staff
Staff

Created on ‎11-23-2024 06:03 AM

Article Id 358287

Technical Tip: Cannot use the uploaded certificate on FortiGate due to Enhanced/Extended Key Usage extension

Description

 

This article describes how FortiGate validates the enhanced key usage on the certificate and decides whether the certificate can be chosen for different parts of the configuration.

 

Scope

 

FortiOS.

 

Solution

 

By default, a CSR generated by FortiGate does not include any enhanced key usage for the CA to sign. Here is an example of the CSR generated on the FortiGate:


Picture1.png

 

The same CSR after the .csr file is decoded:

 

    Data:

        Version: 0 (0x0)

        Subject: CN=10.128.202.29

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (2048 bit)

        Attributes:

        Requested Extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            X509v3 Subject Alternative Name:

                IP Address:10.128.202.29

            X509v3 Key Usage:

                Digital Signature, Key Encipherment

    Signature Algorithm: sha256WithRSAEncryption

 

Therefore, the enhanced key usage field is set by the CA to define the purpose of the certificate and/or the template chosen by the signing server. In this example, the CA (FortiAuthenticator) defines the enhanced key usage to be ‘IPsec IKE Intermediate (end entity)’:

Screenshot 2024-11-17 122823.png

 

Once imported to FortiGate the following fields are displayed for the extensions field:

 

Extensions:

X509v3 Basic Constraints 

CA:FALSE

X509v3 Subject Key Identifier

25:82:1B:35:0D:32:E8:D8:E3:85:39:69:CF:86:CB:B0:B8:09:98:55

X509v3 Authority Key Identifier

keyid:18:FD:97:3A:78:A3:89:DA:0B:AF:3E:25:10:23:E6:0A:D9:3F:F6:F9 DirName:/C=CA/CN=FAC.test.lab/emailAddress=admin@test.lab serial:14:AC:D4:8F:8F:2D:74:50

X509v3 Key Usage

Digital Signature, Key Encipherment

X509v3 Extended Key Usage

1.3.6.1.5.5.8.2.2

X509v3 CRL Distribution Points

Full Name: URI:http://10.21.4.177/app/cert/crl/top_level.crl

Authority Information Access

OCSP - URI:http://10.21.4.177:2560/

X509v3 Subject Alternative Name

IP Address:10.128.202.29

 

Since the purpose of this certificate is not for Server Authentication, the certificate (lab previously created) is not available to be chosen under SSL VPN settings or system settings:

 

pic3.png

 

pic4.png

 

However, it can be used under the Authentication method signature under the IPsec tunnel configuration since it has the necessary purpose:

pic5.png

 

In summary, when signing a CSR by a CA or using SCEP, it is important to confirm what extensions the CA is going to add to the public key of the certificate. If the enhanced key usage is configured for Server Authentication, then the certificate can be used for any purpose on FortiOS.

Related Article:
Troubleshooting Tip: A guide to FortiGate and certificate issues

769
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.