Description
This article describes how to generate a Certificate Signing Request (CSR) in FortiNAC and how to apply the certificate for any of the required services.
Scope
FortiNAC (CA or NCM).
Solution
Initially, FortiNAC will have a self-signed certificate assigned to each service. There are many reason why is not recommended to use a self-signed certificate in a secured production network.
The request (CSR) can be compiled under System -> Certificate Management -> [Generate CSR].
The most important fields are the RSA Key Length, Common Name and Subject Alternative Names. After filling in the information and selecting OK, the result will be text similar to the following:
This text output needs to be copied (all visible characters including the headers) and saved to a file. The easiest way to do this is by using a notepad. The extension of the file can be saved as a .csr file (the extension is not important: only the content is).
Note: Multiple domains can be added in the 'Subject Alternative Names' field. This makes it possible to use the same certificate in more than one service or servers. The recommended method is to generate a dedicated certificate for each service.
The request file needs to be uploaded in a private or a public CA in order to be signed. In this example, a FortiAuthenticator is used as a private CA.
After the signing is successful, the CA will provide the certificate file (usually the extension will be .cer). The certificate can be easily opened (in a windows PC or other tools like openssl) and the attributes of the certificate can be checked before applying it to FortiNAC:
After verifying the attributes, the certificate can be uploaded in FortiNAC in the same menu that was used to generate the CSR. Make sure to select the appropriate target:
Note: Usually, big enterprise private CAs or public CAs will also include one or more intermediate certificates on the trust chain. Make sure to include all of the necessary intermediate certificates while uploading the server certificate:
After applying the certificate, a restart of the service is needed. In the Admin UI, the web page will freeze and need to be refreshed due to the certificate change. In less than 30 seconds, the Admin UI should be available and waiting for login afterwards.
The uploaded certificate can be checked on the same menu. In HA cluster setups, the same certificate needs to be applied to the secondary node. The private key tab can be used to extract the key file in order to upload on the secondary node.
The tool openssl can also be used to get more information about the certificate that FortiNAC presents for its services.
openssl s_client -showcerts -connect fnacm.eb.eu:8443
CONNECTED(00000003)
depth=0 CN = fnacm.eb.eu, OU = TAC, O = Fortinet, L = Frankfurt, ST = Hessen, C = DE
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = fnacm.eb.eu, OU = TAC, O = Fortinet, L = Frankfurt, ST = Hessen, C = DE
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = fnacm.eb.eu, OU = TAC, O = Fortinet, L = Frankfurt, ST = Hessen, C = DE
verify return:1
---
Certificate chain
0 s:CN = fnacm.eb.eu, OU = TAC, O = Fortinet, L = Frankfurt, ST = Hessen, C = DE
i:C = DE, ST = Hesse, L = Offenbach, O = Fortinet, OU = FNAC, CN = ca.eb.eu, emailAddress = ebilcari@fortinet.com
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Jun 11 15:04:26 2024 GMT; NotAfter: Mar 7 15:04:26 2027 GMT
-----BEGIN CERTIFICATE-----
MIIErTCCA5WgAwIBAgIDAYbMMA0GCSqGSIb3DQEBCwUAMIGMMQswCQYDVQQGEwJE
RTEOMAwGA1UECAwFSGVzc2UxEjAQBgNVBAcMCU9mZmVuYmFjaDERMA8GA1UECgwI
For other services:
Portal:
openssl s_client -showcerts -connect fnac.eb.eu:443
Agent:
openssl s_client -showcerts -connect fnac.eb.eu:4568
In cases when a certificate with multiple SANs or a wildcard certificate is used, FortiNAC makes it possible to quickly apply the same certificate to another service by using the 'Copy Certificate' tool as shown below:
Double-check the Source and Target before confirming.
Helpful documentation:
