| Description | This article describes the correct formats to use for specifying Subject Alternative Names (SAN) when generating a Certificate Signing Request (CSR) on FortiGate, FortiManager, and FortiAnalyzer. |
| Scope | FortiGate, FortiManager, FortiAnalyzer. |
| Solution |
When generating a CSR on FortiGate and a SAN is required, use the following format depending on the SAN type:
For DNS entries:
For IP addresses:
After the certificate is signed by a Certificate Authority (CA), the SAN field will reflect the specified values, as shown in the image below.
Note: FortiGate is flexible in SAN formatting and supports both 'IP:' and 'IP Address:' formats.
However, for FortiManager and FortiAnalyzer, only the IP:x.x.x.x format is supported for IP addresses. If IP Address:x.x.x.x is used, the CSR will be generated successfully, but the signed certificate will not include the SAN field at all, as shown in the certificate below.
To ensure proper inclusion of SAN values on FortiManager and FortiAnalyzer, always use: DNS:example.com for DNS names. IP:x.x.x.x for IP addresses.
Both an IP address and a DNS name can also be used in the Subject Alternative Name, 'IP:192.168.0.1, DNS:server.example.com'. |
