Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JP20xx
New Contributor

Sing a fortigate CSR with OpenSSL (Linux)

Im trying to sign a CSR generated by a Fortigate FW. Unfortunately the signed certificate does not show as an option in the SSL inspection profile. Does anyone knows the how to sign the CSR with OpenSSL/Linux?

2 REPLIES 2
kcheng
Staff
Staff

Hi @JP20xx 

 

In order to use a certificate for SSL inspection profile (whether it is certificate inspection/deep inspection), the respective certificate has to be a sub-CA certificate. This means that the certificate will need to have the Basic Constraints stating CA:TRUE. Some references that you can find in our community explain the respective:

https://community.fortinet.com/t5/FortiGate/Technical-Note-SSL-inspection-on-multiple-FortiGates-usi...

https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/518006/using-a-ca-signed-certificate

 

I've not personally tried creating a sub-CA certificate using OpenSSL, but the following third-party steps look legit to me. You may want to give it a check:

https://mivilisnet.wordpress.com/2020/06/03/how-to-make-subordinate-ca-using-openssl/

Cheers,
Kayzie Cheng
lestopace
Staff
Staff

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Generate-and-sign-certificates-using-OpenS...

If I'm not mistaken, you just need to follow step 1 then upload it to your FortiGate as CA certificate along with the private key.

 

Lemuel