FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Anonymous
Not applicable
Article Id 192705

Description

 

This article describes how to generate certificates for testing with the open-source utility 'OpenSSL'.
Note that OpenSSL is not endorsed or supported by Fortinet.

The certificates created here should not be used in production and are difficult to manage.
This article only provides an example.
It is recommended to use an internal managed CA or have the certificates issued by a publicly trusted CA.

More information on OpenSSL can be found at this website:
https://www.openssl.org/

 

Scope

 

FortiGate.

Solution


The FortiGate cookbook article 'SSL VPN with certificate authentication' requires three certificates:

  • CA certificate.
  • Server certificate (signed by the CA certificate).
  • User certificate (signed by the CA certificate).


These can be generated using OpenSSL as follows:

 

  1. Generate the CA:

 

openssl genrsa -aes256 -out ca-key.pem 4096

openssl req -x509 -new -nodes -extensions v3_ca -key ca-key.pem -days 365 -out ca-root.pem -sha512

 

This creates two files: the CA file 'ca-root.pem' and its private key 'ca-key.pem', a password for the private key is required.

  1. Create a serial file:

 

echo 00 > serial.srl

 

  1. Generate the server certificate and key:

 

openssl genrsa -out server.key 4096

openssl req -key server.key -new -out server.req
openssl x509 -req -in server.req -CA ca-root.pem -CAkey ca-key.pem -CAserial serial.srl -out server.pem

 

  1. Generate the client certificate and key:

 

openssl genrsa -out user.key 4096

openssl req -key user.key -new -out user.req
openssl x509 -req -in user.req -CA ca-root.pem -CAkey ca-key.pem -CAserial serial.srl -out user.pem

 

  1. Merge the client certificate and key into a PFX file:

 

openssl pkcs12 -export -out user.pfx -inkey user.key -in user.pem

 

It is possible now to proceed with the Cookbook article.
The three certificates to use are: ca-root.pem, server.pem, and user.pfx.

Contributors