Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jstan
Staff
Staff

Created on ‎06-11-2020 02:16 AM Edited on ‎10-29-2024 10:03 AM By Staff

Article Id 195414

Technical Tip: How to generate wildcard CSR

Description


This article describes how to generate a wildcard CSR.

 

Scope

 

FortiGate.

Solution

 

In order to generate a Certificate Signing Request (CSR) on FortiGate for a wildcard domain, Subject Alternative Name should be used.

Previously, many web servers used Common Name as the server’s claimed identity for the purposes of HTTPS, including wildcard. This use of Common Name has been deprecated for some time, and modern browsers will show errors such as COMMON_NAME_INVALID when attempting to access websites that do not include a matching Subject Alternative Name.

To generate a wildcard CSR:

  1. System -> Certificates -> Select ‘Create/Import’ -> Select 'Generate CSR'.

    SYSTEM CERT 1.png

    CSR_markup.png

  2. In Subject Information section, select ID type 'domain name' and enter a fully qualified domain name. This is the Common Name of the certificate and generally won’t be used as a website name.

  3. Include other 'Optional Information' as needed.

  4. In Subject Alternative Name (SAN) field, enter ‘DNS:*.<domain>’.

    CSR_1.PNG
    Multiple Subject Alternative Name entries can be configured, separated by a comma.

    CSR_2.png
  5. Optional: If needing to export the certificate to another location for backup or importing to another FortiGate or other server, configure and record a password for the certificate private key.

  6. Set Key Type and Key Size to match any compliance requirements.

  7. Select 'OK' to complete the Certificate Signing Request file.

  8. Download the CSR and submit it to the third-party CA for signing.

download CSR.PNG

 

 

  1. Once the Certification Authority has provided the signed certificate, go to System -> Certificates -> Select 'Create/Import' -> select 'Certificate' -> Select 'Import Certificate'.

    CRT_upload0.png

    Under 'Type', select 'Local Certificate'. Upload the signed certificate file provided by the third-party CA and select 'Create'.

    CRT.PNG

  2. Verify that the status of the certificate is showing as 'OK'. At this stage the certificate could be applied to SSL VPN, administrator HTTPS, or 'Protecting an SSL Server ' ssl-ssh-inspection profiles but may still trigger client-side certificate chain warnings until completing step 11.

  3. Recommended: Most Certificate Authorities also provide a copy of the intermediate and root CA certificates when providing the signed server certificate file. Import these under System -> Certificates -> Import CA Certificate so the FortiGate can serve the full certificate chain and avoid client-side certificate chain warnings.

    If the CA does not provide root and intermediate certificates, the certificates can be retrieved manually. See 'How to avoid certificate error message by chaining Root CA and Intermediate CA certificates on Forti...'.

    Note: If the CA certificate was previously uploaded manually, or is already included in the certificate bundle, the FortiGate will not upload the certificate again and will display the error ‘Certificate file is duplicated for CA/LOCAL/REMOTE/CRL cert’.

    Import CA certificate.PNG
    This is an expected result that indicates the CA certificate is already present.

    Once the full certificate is present on the FortiGate, it can be used in firewall configuration.

 

Certificate name matching examples.

Once the signed portion from the CA is imported, this generates a certificate. The original CSR should be requested with Subject Alternative Names to cover all intended uses for the certificate.

 

The example CSR used in this article has the following information.

Common Name: 'FortiGateName.site2.local'
Subject Alternative Name: 'DNS:*.fortinet.local'


The full certificate matches the following example names:

  • FortiGateName.fortinet.local
  • abc.fortinet.local
  • vpn.fortinet.local 
  • VPN.FORTINET.local << Web server hostnames are not case-sensitive.


The full certificate does not match the following names:

  • abc.123-fortinet.local << Wrong domain.
  • vpn.abc.fortinet.local  << Too many subdomains. Wildcard does not match multiple subdomains.
  • abc.fortinet.com << Wrong top-level domain.
  • fortinet.local  << Wildcard does not match a blank subdomain. If required to match this name, add an additional SAN entry 'DNS:fortinet.local' in CSR.
  • FortiGateName.site2.local  << The Common Name of the certificate is not used for matching when SAN is in use. Modern browsers do not use Common Name for identity matching.


Note: multiple wildcard SAN entries are possible, or a mix of wildcard and FQDN SAN entries. SAN entries are separated by a comma in the CSR, see 'Adding SAN while generating CSR'. Public Certification Authorities charge a fee for certificate signing, and do not accept IP-based SAN entries.


Related article:
SSL/TLS and the use of Digital Certificates

Labels:
9515
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.