Description
This article describes why a valid SSL certificate is necessary and how to Install the newly generated certificate on FortiGate for HTTPS access and SSL VPN.
Scope
FortiGate v7.0.x and later.
Solution
The Certificate can be used for client and server authentication based on requirements and the certificate types.
There are four different sections of the certificate on FortiGate:
- Local CA Certificate.
- Local Certificate.
- Remote CA Certificate.
- Remote Certificate.
Open the certificate panel by navigating to System -> Certificates.
Enable the feature under System -> Feature Visibility if necessary.
Local CA Certificate:
As the name implies these are the default certificates that are generated the first time when the FortiGate is booted up. These certificates are generally used for SSL Inspection. Root CA certificates that are imported (along with the private key) in the FortiGate are viewable.
Local Certificate:
This section consists of the default certificate and any other certificate that is installed on FortiGate with the private key, so either (PEM + Private Key) or PKCS12 format certificate. It also contains self-signed certificates and Sub-CA (Intermediary CA) certificates imported into the FortiGate.
General example:
FortiGate GUI Certificate, SSL VPN Certificate, Site to Site VPN Local Certificate, Virtual server Certificate used for SSL Offloading, and so on.
Remote CA Certificate:
FortiGate comes with many CA certificates from well-known certificate authorities pre-installed. Other CA certificates from a non-well-known CA FortiGate are viewable in the Remote CA Certificate section.
General example:
LDAPS, Site to Site with PKI authentication in place of peer certificate, remote CA used to trust the certificate sent by VPN peer for authentication, Similarly PKI user CA (Connecting with SSL VPN), FSSO Trusted SSL Certificate and so on.
Remote Certificate:
To install any certificate in PEM format without any private key, choose the Remote Certificate (similar to the Remote CA Certificate but not the same, as uploading the end-identity).
General example:
Using an IDP or SP certificate in SSO Configuration based on the FortiGate Mode (SP or IDP), FSSO Trusted SSL Certificate, and so on.
SSL VPN and HTTPS Certificate:
When the SSL VPN is configured or the HTTPS access is enabled on the FortiGate WAN interface, it uses the default FortiGate certificate, and it gives an error because the machine or the end client does not trust the certificate as the FortiGate CA is not installed on machines.
Often, when a user receives a security certificate warning, the user simply selects 'Continue' without understanding why the error is occurring.
To avoid encouraging this habit, it is possible to prevent the warning from appearing in the first place:
Note:
The SSL VPN certificate is an identity certificate of FortiGate and not for certificate authentication.
To use certificate authentication, install an identity certificate on the client machine and a CA certificate on FortiGate.
To overcome this, generate an SSL certificate with a 'Domain-name' associated with the Public (WAN) IP, signed by a well-known Third-party signed authority.
Firstly, a domain name will be necessary to purchase the A record for the public IP, else there's another option with a valid FortiGuard subscription, FortiDDNS can be used to register a domain name:
Note:
In modern browsers, the certificate needs to contain the address used to access the GUI. This IP or FQDN needs to be included in the Subject Alternative Name (SAN) field of the certificate. (It is applicable for a Certificate Signed by Internal CA also).
For example:
- FortiGate accessed via https://192.0.2.1/... → Certificate SAN must include 192.0.2.1.
- FortiGate accessed via https://firewall.mydomain.com/... → Certificate SAN must include firewall.mydomain.com (or *.mydomain.com).
For the sake of completeness, the other usual certificate requirements are still in place (Non-exhaustive list: the certificate must be within its validity period, must be signed by a CA trusted by the client-device, should not use SHA1 signature(no longer trusted).
- Generate CSR from FortiGate:
Go to System -> Certificates -> Create/Import -> Generate CSR.
Select the newly generated CSR and download the file:
Note:
CSR can be generated using third-party tools, but a PFX, PKCS12, or PEM format certificate with a Private key file is needed upon installation.
Related documents:
Technical Tip: Adding SAN(Subject Alternative Name) while generating CSR(Certificate Signing Request...
Technical Tip: How to sign a certificate with Subject Alternate Name (SAN)
Using the default certificate for HTTPS administrative access - More info on SAN.
-
Upload the generated CSR to the chosen vendor site which would then provide the certificate.
-
Download the certificate and follow the below steps to install the certificate. Extract the downloaded file(s) to the Desktop or a new directory altogether.
Certificates will be mostly in the below four formats:
PEM, PKCS7: the private key file will be needed to install the certificate if CSR is not generated by FortiGate else PEM file is enough.
PFX, PKCS12: It requires the paraphrase or passcode to install.Also, Intermediate and root CA will be obtained, generally, all 3rd party root CA is already present in FortiGate by default.
Importing the SSL Certificate:
The first scenario CSR is generated by FortiGate:
PEM/PKCS7/CER: If the CSR is generated from FortiGate then PEM, PKCS7 or .cer format cert will only be required.
Navigate to System -> Certificates -> Create/Import -> Certificate -> Import Certificate, select type as Local Certificate, upload the PEM Certificate, and select 'Create'. The certificate will be generated.
The second scenario is if the CSR was generated using 3rd party server and there is a PEM file:
PEM/PKCS7/CER and Private key: if the CSR was generated using 3rd party server and the certificate provided by the CA vendor is in PEM format, the Private key file will be necessary with the PEM file.
Navigate to System -> Certificates -> Create/Import -> Certificate -> Import Certificate, select the type as Certificate, Import the PEM cert with Private key, Create the password, add the certificate name, and select 'Create'. The certificate will be uploaded.
Note:
The password here is something created by the user. It is possible to use any numeric or alphanumeric string, basically, the password here is being used to merge the PEM and Private key.
The third Scenario is if the CSR was generated using 3rd party server and there is a PFX/PKCS12 format certificate:
PFX, PKCS12: If there is the PFX certificate, the paraphrase or password to install the Certificate that will be provided by the CA vendor will be needed.
Navigate to System -> Certificates -> Create/Import -> Certificate -> Import Certificate, select the type as PKCS12, upload the certificate, use the Password/Paraphrase provided by the CA vendor, and select 'Create'.
Once the certificate is uploaded, it is possible to select the uploaded certificate for HTTPS access and SSL VPN.
Navigate to System -> Settings -> HTTPS server certificate, select the certificate and apply.
To apply the HTTPS server certificate through the CLI, use the below command below:
config system global
set admin-server-cert "Name of the uploaded certificate"
end
Navigate to VPN -> SSL VPN settings -> Server certificate, select the certificate, and apply.
Note:
If the certificate is generated by a local CA, it will be necessary to install the CA certificate on the machine.
It is possible to use an Automated Certificate Management Environment (ACME) and get a free SSL certificate from the public Let's Encrypt certificate authority (https://letsencrypt.org). For more information, see the following guide: Automatically provision a certificate.
Additionally, see https://www.rfc-editor.org/rfc/rfc8555.
To use Microsoft Intermediate CA for Deep SSL Inspection Certificate, see Microsoft CA deep packet inspection.
To regenerate the default certificate, see Regenerate default certificates.
Guide to FortiGate and certificate issues: Troubleshooting Tip: A guide to FortiGate and certificate issues.
