Created on
12-07-2016
04:27 AM
Edited on
06-05-2025
03:22 AM
By
Jean-Philippe_P
Description
This article describes how to generate certificates for testing with the open-source utility 'OpenSSL'.
Note that OpenSSL is not endorsed or supported by Fortinet.
The certificates created here should not be used in production and are difficult to manage.
This article only provides an example.
It is recommended to use an internal managed CA or have the certificates issued by a publicly trusted CA.
More information on OpenSSL can be found at this website:
https://www.openssl.org/
Scope
FortiGate.
Solution
The FortiGate cookbook article 'SSL VPN with certificate authentication' requires three certificates:
These can be generated using OpenSSL as follows:
openssl genrsa -aes256 -out ca-key.pem 4096
openssl req -x509 -new -nodes -extensions v3_ca -key ca-key.pem -days 365 -out ca-root.pem -sha512
This creates two files: the CA file 'ca-root.pem' and its private key 'ca-key.pem', a password for the private key is required.
echo 00 > serial.srl
openssl genrsa -out server.key 4096
openssl req -key server.key -new -out server.req
openssl x509 -req -in server.req -CA ca-root.pem -CAkey ca-key.pem -CAserial serial.srl -out server.pem
openssl genrsa -out user.key 4096
openssl req -key user.key -new -out user.req
openssl x509 -req -in user.req -CA ca-root.pem -CAkey ca-key.pem -CAserial serial.srl -out user.pem
Merge the client certificate and key into a PFX file:
openssl pkcs12 -export -out user.pfx -inkey user.key -in user.pem
It is possible now to proceed with the Cookbook article.
The three certificates to use are: ca-root.pem, server.pem, and user.pfx.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.