| Description |
This article offers a different approach that uses OpenSSL to revalidate the signed certificate and the original certificate signing request, assisting in verifying the accuracy of the errors displayed by FortiGate when importing a CA-signed certificate for a Certificate Signing Request generated on FortiGate. |
| Scope |
FortiGate. Pre-Requisite: Binaries for OpenSSL should be installed/available on the local PC/machine. |
| Solution |
Consider a new Certificate Signing Request generated from FortiGate as below:
Once the Certificate Signing Request is generated it will appear under the Certificates tab with a ‘Pending’ status.
This ‘FG-VM1-GUI.csr’ file would then be downloaded and signed by an external Certificate Authority. After the Certificate Authority (whether it be internal or external) signs the request, the certificate will be provided which then needs to be imported back to FortiGate. In this case, the Certificate Authority used was an internal FortiAuthenticator which was used to sign the request and the signed certificate exported from the FortiAuthenticator is named ‘FG_VM1_GUI.crt’.
To validate the presented certificate matches the original Certificate Signing request, OpenSSL can be used. The command below runs the modulus operation on the certificate signing request:
openssl req -noout -modulus -in <certificate_signing_request>
For example, modulus generated for FG-VM1-GUI.csr is shown below:
The command below runs the modulus operation on the signed certificate:
If the modulus is compared, the output generated matches the modulus generated against the Certificate Signing Request and the signed Certificate. Going back to FortiGate the import was successful and the status changes to ‘Valid’.
If the full modulus output turns out to be large, the md5 hash for the modulus can be obtained for easier comparison. The command to get the md5 hash for the certificate signing request is:
openssl req -noout -modulus -in <CSR> | openssl md5
For example:
C:\Users\admin\Downloads\OpenSSL>req -noout -modulus -in FG-VM1-GUI.csr | openssl md5 MD5(stdin)= 2ac05eb519bb9dc1611c53eb8a580601
The command to get the md5 hash for the signed certificate is:
openssl x509 -noout -modulus -in <certificate> | openssl md5
For example:
C:\Users\admin\Downloads\OpenSSL>openssl x509 -noout -modulus -in FG_VM1_GUI.crt | openssl md5 MD5(stdin)= 2ac05eb519bb9dc1611c53eb8a580601
The hashes generated for the modulus of the certificate signing request and the signed certificate is the same.
Below is a situation where the Certificate Signing Request and the imported signed Certificate are not matched as displayed by the FortiGate and the import fails:
Further validation using OpenSSL shows the md5 hash generated for the modulus does not match.
C:\Users\admin\Downloads\OpenSSL>openssl req -noout -modulus -in fgvm2-GUI.csr | openssl md5 MD5(stdin)= 7afc15dd6126715f4bd86b16741256e7
C:\Users\admin\Downloads\OpenSSL>openssl x509 -noout -modulus -in fgvm2_GUI.crt | openssl md5 MD5(stdin)= 0f0bc9b1754dce742aafb489aafa49ba |
