- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
- Fortinet Community
- Knowledge Base
- FortiNAC
- Technical Tip: Concatenate certificate files to cr...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Description
This article describes how to correctly concatenate certificate files for use in FortiNAC.
A certificate chain is a set of certificates that includes intermediate CA certificates and may but does not need to contain the root certificate.
Usually it is visible in file sets as server certificate and certificate authority specific bundle files.
Some Certificate Authorities may not provide the proper certificate chain that needs to be uploaded to FortiNAC in order to use portal or web services, RADIUS.
These are on the GUI noted as 'Targets'.
This format follows always the same layout.
- Server certificate, signed by.
- intermediate CA (can be called subordinate CA), signed by.
- Root CA, signed by itself.
There may be more links in this chain as more intermediate CAs could be in this chain.
FortiNAC needs though all certificates in this chain.
To identify itself towards others, it will need additionally a private key for the server certificate that it is supposed to use.
The private key is unique and only known to that particular server.
Related document:
https://docs.fortinet.com/document/fortinac/8.8.0/administration-guide/299581/ssl-certificates
Solution
FortiNAC Certificate Deployment via CSR.
1) Create CSR from FortiNAC.
2) Submit the CSR to CA from end-user or Public CA.
3) Once Certificate is received, upload the certificate as FortiNAC Admin Portal Certificate.
Once uploaded restart the respective service.
For the admin interface #service tomcat-admin restart, for the end user facing portal #service tomcat-portal restart.
FortiNAC Certificate Deployment without CSR on FortiNAC.
1) Create the certificate with the preferred certificate service.
2) Import the certificate as PKCS12, (usually as a .p12 file) or separate key and crt/cer file to FortiNAC.
3) Once Certificate is received, upload the certificate as FortiNAC Admin Portal Certificate.
Once uploaded restart the respective service.
For the admin interface #service tomcat-admin restart, for the end user facing portal #service tomcat-portal restart
This method might be more common for wildcard certificates, as for example *.forti.lab. A server certificate is unusable without its private key. A CSR implies a private key on that box, FortiNAC, but it must be exported to the other devices as well.
Mistakes done while uploading Certificate to FortiNAC.
- Many of the end-users upload the certificate but it does not concatenate the SSL Certificate. This causes a broken SSL verification chain/hierarchy.
- The private key has changed on the CSR. By re-creating the CSR a new private key is created, the old CSR will be useless.
- The public and private key are a pair, it belongs together and cannot be arbitrariliy replaced, like with another private key, public key.
- The private key is used to identify a user, service, unit with unique information. The private key must be available on that box. The public certificate is the one handed out by the service to the connecting parties and can be used to verify signatures done with the matching private key.
- There is no HTTPS / TLS without certificates.
Question - How to fix incomplete certificate chains or create them?
1) Make a folder on FortiNAC or any linux box by using below command, for example with this command.
3) Follow the next section on how to concatenate these certificates.
Example Domain forti.lab.
1) forti_lab.crt is the public FortiNAC Certificate.
2) forti_lab.ca-bundle.crt is the root and intermediate certificate as a complete set in one file.
Before upload the certificate to FortiNAC, it is always required to concatenate them to a single file.
Note that these files MUST be in base64 encoded format. It usually can be opened with any text editor and should display some lines as:
Command (note the order of the files) - cat forti_lab.crt forti_lab.ca-bundle.crt > forti_lab-bundle.crt
If there are separate Intermediate & Root CA certificates, use the below format.
1) forti_lab.crt is the FortiNAC public Server Certificate.
2) forti_lab.intermediate-ca-bundle.crt contains the intermediate certificates in a file.
3) forti_lab.ca-bundle.crt is the root CA in a file.
Command (again note the order of files) - cat forti_lab.crt forti_lab.intermediate-ca-bundle.crt forti_lab.ca-bundle.crt > forti_lab-bundle.crt
This article describes how to correctly concatenate certificate files for use in FortiNAC.
A certificate chain is a set of certificates that includes intermediate CA certificates and may but does not need to contain the root certificate.
Usually it is visible in file sets as server certificate and certificate authority specific bundle files.
Some Certificate Authorities may not provide the proper certificate chain that needs to be uploaded to FortiNAC in order to use portal or web services, RADIUS.
These are on the GUI noted as 'Targets'.
This format follows always the same layout.
- Server certificate, signed by.
- intermediate CA (can be called subordinate CA), signed by.
- Root CA, signed by itself.
There may be more links in this chain as more intermediate CAs could be in this chain.
FortiNAC needs though all certificates in this chain.
To identify itself towards others, it will need additionally a private key for the server certificate that it is supposed to use.
The private key is unique and only known to that particular server.
Related document:
https://docs.fortinet.com/document/fortinac/8.8.0/administration-guide/299581/ssl-certificates
Solution
FortiNAC Certificate Deployment via CSR.
1) Create CSR from FortiNAC.
2) Submit the CSR to CA from end-user or Public CA.
3) Once Certificate is received, upload the certificate as FortiNAC Admin Portal Certificate.
Once uploaded restart the respective service.
For the admin interface #service tomcat-admin restart, for the end user facing portal #service tomcat-portal restart.
FortiNAC Certificate Deployment without CSR on FortiNAC.
1) Create the certificate with the preferred certificate service.
2) Import the certificate as PKCS12, (usually as a .p12 file) or separate key and crt/cer file to FortiNAC.
3) Once Certificate is received, upload the certificate as FortiNAC Admin Portal Certificate.
Once uploaded restart the respective service.
For the admin interface #service tomcat-admin restart, for the end user facing portal #service tomcat-portal restart
This method might be more common for wildcard certificates, as for example *.forti.lab. A server certificate is unusable without its private key. A CSR implies a private key on that box, FortiNAC, but it must be exported to the other devices as well.
Mistakes done while uploading Certificate to FortiNAC.
- Many of the end-users upload the certificate but it does not concatenate the SSL Certificate. This causes a broken SSL verification chain/hierarchy.
- The private key has changed on the CSR. By re-creating the CSR a new private key is created, the old CSR will be useless.
- The public and private key are a pair, it belongs together and cannot be arbitrariliy replaced, like with another private key, public key.
- The private key is used to identify a user, service, unit with unique information. The private key must be available on that box. The public certificate is the one handed out by the service to the connecting parties and can be used to verify signatures done with the matching private key.
- There is no HTTPS / TLS without certificates.
Question - How to fix incomplete certificate chains or create them?
1) Make a folder on FortiNAC or any linux box by using below command, for example with this command.
# mkdir /tmp/certs/2) Copy the issued certificates to the box, for example with SCP, intermediate Certificates & CA Certificates to FortiNAC on /tmp/certs/.
3) Follow the next section on how to concatenate these certificates.
Example Domain forti.lab.
1) forti_lab.crt is the public FortiNAC Certificate.
2) forti_lab.ca-bundle.crt is the root and intermediate certificate as a complete set in one file.
Before upload the certificate to FortiNAC, it is always required to concatenate them to a single file.
Note that these files MUST be in base64 encoded format. It usually can be opened with any text editor and should display some lines as:
-----BEGIN CERTIFICATE1-----If the files are not readable, contact the Certificate Authority to receive base64 encoded files.
fjkghwjernlsfuigylerkjlkfjnu23jnlkjbliu5ghl6kh4
...
-----END CERTIFICTATE1-----
-----BEGIN CERTIFICATE2----
fjkjlkfjnu23jnlkjbliu5ghl6khkghwjernlsfuigyler4
...
-----END CERTIFCATE2-----
Command (note the order of the files) - cat forti_lab.crt forti_lab.ca-bundle.crt > forti_lab-bundle.crt
If there are separate Intermediate & Root CA certificates, use the below format.
1) forti_lab.crt is the FortiNAC public Server Certificate.
2) forti_lab.intermediate-ca-bundle.crt contains the intermediate certificates in a file.
3) forti_lab.ca-bundle.crt is the root CA in a file.
Command (again note the order of files) - cat forti_lab.crt forti_lab.intermediate-ca-bundle.crt forti_lab.ca-bundle.crt > forti_lab-bundle.crt
Labels:
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.