| Description | This article describes the correct formats to use for specifying Subject Alternative Names (SAN) when generating a Certificate Signing Request (CSR) on FortiGate, FortiManager, and FortiAnalyzer. |
| Scope | FortiGate, FortiManager, FortiAnalyzer |
| Solution |
When generating a CSR on FortiGate and a SAN is required, use the following format depending on the SAN type:
For DNS entries:
For IP addresses:
After the certificate is signed by a Certificate Authority (CA), the SAN field will reflect the specified values, as shown in the image below.
Note: FortiGate is flexible in SAN formatting and supports both 'IP:' and 'IP Address:' formats.
However, for FortiManager and FortiAnalyzer, only the IP:x.x.x.x format is supported for IP addresses. If IP Address:x.x.x.x is used, the CSR will be generated successfully, but the signed certificate will not include SAN field at all as shown in the below certificate.
To ensure proper inclusion of SAN values on FortiManager and FortiAnalyzer, always use: DNS:example.com for DNS names IP:x.x.x.x for IP addresses |
