Created on 05-01-2015 10:33 AM Edited on 06-06-2024 09:23 PM By Anthony_E
Description
This article explains how to generate a CSR in the FortiGate CLI.
Scope
FortiGate.
Solution
To generate a CSR from the FortiGate CLI, the following command can be used –
'execute vpn certificate [store] generate [...]'
Command Syntax:
execute vpn certificate [store] generate [encryption_method] [certificate_name] [key_size] [Host IP/Domain Name/E-Mail] [Country Name or Code] [State/Province] [City] [Organization] [Organization Unit] [Email] [SANs - optional] [URL of the CA server for signing via SCEP (optional)]
Command Options:
store: ca, crl, local, remote
encryption_method: rsa, elliptic curve
cert_name: Name for Certificate, purely meant as an indentifier
key_Size: Key Encyrption Size, Options are 1024, 1536, 2048, 4096
Host IP/Domain Name/E-Mail: Common Name, the name the certificate is signed for
Country: Country name or Country Code such as CA (Canada)
State/Province: State or Province Name such as BC (British Columbia)
City: City Name
Organization: Organization Name
Organization Unit: Organizational Unit, similar to Directories in a Directory Service
Email: Email address for IT Contact
SANS: Other accepted names, should include CN if CN is to be accepted
SAN Syntax
Email: email:admin@companyname.com
IP Address: IP:1.1.1.1
URL: URI:http://companyname.com
DNS Name: DNS:www.companyname.com
Note - Multiple SANs should be separated by comma (,) and without a space such as DNS:www.companyname.com,DNS:www.companyname1.com,DNS:www.companyname2.com
SCEP: URL of the CA server for signing via SCEP
Example:
execute vpn certificate local generate rsa TestCSR 2048 companyname.com CA ON Ottawa Fortinet HR admin@companyname.com DNS:companyname.com,DNS:companyname1.com
Field Values -
Certificate Name: TestCSR
Key Size: 2048
CN: companyname.com
Country: CA (Canada)
State/Province: ON (Ontario)
City: Ottawa
Organization: Fortinet
OU: HR
Email: admin@companyname.com
SANS:
>DNS Name=companyname.com
>DNS Name=companyname1.com
A message stating "Global certificate Signing State: Pending" will be produced if the CSR is successfully generated.
Downloading/retrieving the CSR from the CLI:
There are two methods available for retrieving the CSR from the FortiGate so that it can be signed by a Certificate Authority:
Method #1: Exporting from the FortiGate via TFTP:
execute vpn certificate [store] export tftp [certificate_name] [certificate_file_type ('cer' | 'p12' | 'csr')] [destination_filename] [TFTP_IP/FQDN]
Example:
exec vpn certificate local export tftp TestCSR csr TestCSR.csr 192.168.1.100
Method #2: Copy/Paste from FortiOS CLI:
Uploading the signed certificate to the FortiGate via the CLI:
There are two methods available for uploading the signed certificate to the FortiGate and completing the certificate setup process:
Method #1: Uploading from the FortiGate via TFTP:
execute vpn certificate [store] import tftp [certificate_name] [TFTP_IP/FQDN] [certificate_file_type ('cer' | 'p12')] [<Enter> | <password> (for PKCS12 file)]
Method #2: Copy/Paste to the FortiOS CLI:
config vpn certificate [store]
edit [certificate_name]
Important Notes
When using a comma the FortiGate give us an option to add another email instead of the next field.
By putting a space after a comma (,) in the SAN field, the FortiGate expects SCEP instead of another DNS name.
If multiple SANs are added with a space after the comma, it will produce the following error:
This is expected because now the FortiGate is expecting DNS:companyname1.com as SCEP value instead of the SAN.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.