FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 196609



This article explains how to generate a CSR in the FortiGate CLI.





To generate a CSR from the FortiGate CLI, the following command can be used –

'execute vpn certificate [store] generate [...]'


Command Syntax:


execute vpn certificate [store] generate [encryption_method] [certificate_name] [key_size] [Host IP/Domain Name/E-Mail] [Country Name or Code] [State/Province] [City] [Organization] [Organization Unit] [Email] [SANs - optional] [URL of the CA server for signing via SCEP (optional)]



Command Options:



store: ca, crl, local, remote
encryption_method: rsa, elliptic curve
cert_name: Name for Certificate, purely meant as an indentifier
key_Size: Key Encyrption Size, Options are 1024, 1536, 2048, 4096
Host IP/Domain Name/E-Mail: Common Name, the name the certificate is signed for
Country: Country name or Country Code such as CA (Canada)
State/Province: State or Province Name such as BC (British Columbia)
City: City Name
Organization: Organization Name
Organization Unit: Organizational Unit, similar to Directories in a Directory Service
Email: Email address for IT Contact
SANS: Other accepted names, should include CN if CN is to be accepted

SAN Syntax

IP Address: IP:
DNS Name:

Note - Multiple SANs should be separated by comma (,) and without a space such as,,

SCEP: URL of the CA server for signing via SCEP





# execute vpn certificate local generate rsa TestCSR 2048 CA ON Ottawa Fortinet HR,


Field Values -

Certificate Name: TestCSR
Key Size: 2048
Country: CA (Canada)
State/Province: ON (Ontario)
City: Ottawa
Organization: Fortinet


Important Notes


1) Multiple values to a field can be entered by a using a comma (,) without using a space. For example:



When using a comma the FortiGate give us an option to add another email instead of the next field.


2. Every field is separated by a space which indicates a start of the next expected field in the syntax. So, if given a space while providing multiple values for a single field, the FortiGate will put the value in the next field. For example - 


By putting a space after a comma (,) in the SAN field, the FortiGate expects SCEP instead of another DNS name.

If multiple SANs are added with a space after the comma, it will produce the following error -



This is expected because now the FortiGate is expecting as SCEP value instead of the SAN. 


3. Once the CSR is generated successfully, a CSR decoder tool can be used to confirm the values of each field. Download the CSR > Open using a text editor > Copy and paste the content in a CSR decoder. For example -