Technical Tip: How to generate certificates using OpenSSL

amacchiaverna · ‎12-07-2016

Description
This article describes how to generate certificates for testing with the open source utility 'OpenSSL'.
Note that OpenSSL is not endorsed or supported by Fortinet.

The certificates create here should not be used in production and are difficult to manage.
This article only provides an example.
It is recommended to use an internal managed CA or have the certificates issued by a publicly trusted CA.

More information on OpenSSL can be found at this website:
https://www.openssl.org/

Solution
The FortiGate cookbook article 'SSL VPN with certificate authentication' requires three certificates:
- CA certificate.
- server certificate (signed by the CA certificate).
- user certificate (signed by the CA certificate).

These can be generated using OpenSSL as follows:

1) Generate the CA:

openssl genrsa -aes256 -out ca-key.pem 4096
openssl req -x509 -new -nodes -extensions v3_ca -key ca-key.pem -days 365 -out ca-root.pem -sha512

This creates two files: the CA file 'ca.pem' and its private key 'privkey.pem' - a password for the private key is required.

2) Create a serial file:

echo 00 > serial.srl

3) Generate the server certificate and key:

openssl genrsa -out server.key 4096
openssl req -key server.key -new -out server.req
openssl x509 -req -in server.req -CA ca-root.pem -CAkey ca-key.pem -CAserial serial.srl -out server.pem

4) Generate the client certificate and key:

openssl genrsa -out user.key 4096
openssl req -key user.key -new -out user.req
openssl x509 -req -in user.req -CA ca-root.pem -CAkey ca-key.pem -CAserial serial.srl -out user.pem

5) Merge the client certificate and key into a PFX file:

openssl pkcs12 -export -out user.pfx -inkey user.key -in user.pem

It is possible now to proceed with the Cookbook article.
The three certificates to use are: ca-root.pem, server.pem, and user.pfx.