Description
This article describes how to create SSL Certificate Bundle with the files returned from Certificate Authority.
Scope
FortiNAC.
Solution
For installing SSL certificates in a FortiNAC server via CLI, three files are used:
Note:
- private key.
- leaf certificate.
- certificate bundle (intermediate and root certificates).
If several intermediate certificate files are received (as opposed to a single CA bundle), the files should be merged into a bundle before importing.
Note:
This procedure assumes all intermediate files have been provided by the Certificate Authority (CA).
Procedure:
Confirm the files are in PEM format. When opened in a text editor, the content should look similar to the format:
Procedure:
Confirm the files are in PEM format. When opened in a text editor, the content should look similar to the format:
-----BEGIN CERTIFICATE-----
MIIFQTC.....
-----END CERTIFICTATE-----
If the content does not have these types of headers, convert to PEM format first.
Convert DER/Binary to PEM Format:
openssl x509 -inform der -in certificate.cer -out certificate.pem
Convert P7B/PKCS#7 to PEM Format:
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
Convert PFX/PKCS#12 to PEM Format:
openssl pkcs12 -in certificate.pfx -out certificate.cer –nodes
Verify the Private Key is in RSA format. Review the private key file using a text editor. Alternatively, if in Linux, the file can be viewed by running the command:
cat <filename>
If Key Header looks like this:
-----BEGIN PRIVATE KEY-----
This is an indication that the Key is not in the correct format and needs to be converted. Convert the file by running the following command (on a Linux server):
openssl rsa -in <old_file_name> -out <new_file>
Header should now look like this: -----BEGIN RSA PRIVATE KEY-----.
Append all intermediate and root files into a single text file (example: Bundle.crt). The appended files must not have any spaces between each start and end of file.
Example Bundle content:
Append all intermediate and root files into a single text file (example: Bundle.crt). The appended files must not have any spaces between each start and end of file.
Example Bundle content:
-----BEGIN CERTIFICATE-----
MIIFQTC...(1st)
-----END CERTIFICTATE-----
-----BEGIN CERTIFICATE----
MIIEfTC...(2nd)
-----END CERTIFCATE-----
MIIFQTC...(1st)
-----END CERTIFICTATE-----
-----BEGIN CERTIFICATE----
MIIEfTC...(2nd)
-----END CERTIFCATE-----
Order is important. Put the Intermediate Certificate(s) at the top and the Root at the bottom. If more than one intermediate file, place them in order. Look at the leaf certificate Issuer to determine the certificate to be listed at the top of the bundle.
Leaf certificate.
Owner: CN=hostname.domain.edu.
Issuer: CN= CA 1.
Bundle (Bundle.crt).
Intermediate certificate 1.
Owner: CN= CA 1.
Issuer: CN= CA 2.
Intermediate certificate 2.
Owner: CN= CA 2.
Issuer: CN= Root CA.
Root certificate content.
Owner: CN= Root CA.
Example Bundle content:
Leaf certificate.
Owner: CN=hostname.domain.edu.
Issuer: CN= CA 1.
Bundle (Bundle.crt).
Intermediate certificate 1.
Owner: CN= CA 1.
Issuer: CN= CA 2.
Intermediate certificate 2.
Owner: CN= CA 2.
Issuer: CN= Root CA.
Root certificate content.
Owner: CN= Root CA.
Example Bundle content:
-----BEGIN CERTIFICATE-----
MIIFQTC...(1st)
-----END CERTIFICTATE-----
-----BEGIN CERTIFICATE----
MIIEfTC...(2nd)
-----END CERTIFCATE-----
-----BEGIN CERTIFICATE----
MIIEojC...(3rd)
-----END CERTIFCATE-----
The file is now ready for import.
Note:
Later versions of FortiNAC allow uploading individual files without the need to manually bundle the certificates as long as the certificate content is not encrypted:
Related article:
