Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiExtender
- FortiGuest
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiSRA
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiScan
- FortiSandbox
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiWAN
- FortiToken
- FortiVoice
- FortiWeb
- Wireless Controller
- FortiAppSec Cloud
- RMA Information and Announcements
- Lacework
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- RE: Attempt to generate a CSR, errors " The impor...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Attempt to generate a CSR, errors " The imported local certificate is invalid"
I' m trying to generate a Certificate Signing Request for a new Local Certificate (which I would then send to a real CA) so that I can have a proper SSL Certificate for SSLVPN use as well as Admin web GUI use.
Steps:
Go to System -> Certificates -> Local Certificates, click on Generate, fill in this data:
Certificate Name: SPFGSSLVPNcrt3
ID Type: Domain Name
Domain name: fgsslvpn.socialpoint.es
Org Unit: <empty>
Org: Social Point, S.L.
Locality: Barcelona
State: Catalunya
Country: Spain
email: security@socialpoint.es
SAN: rpv.socialpoint.es
Type: RSA
Bits: 2048
Enrollment method: File Based
click OK, get error " The imported local certificate is invalid" .
That' s particularly weird, because I haven' t imported a certificate - I' m trying to generate a new private key inside the FG100D and create a .CSR.
Attempting to generate a CSR from the CLI similarly fails:
FG100D3G13807731 # execute vpn certificate local generate SPFGSSLVPNcrt3 2048 spfgsslvpn.socialpoint.es Spain Catalunya Barcelona " Social Point, S.L." " " security@socialpoint.es rpv.socialpoint.es
Generating a 2048 bit RSA private key
Generating X.509 certificate
failed to create extension: -4
problems making Certificate Request
Certificate generation failed
Done.
(I also tried variations where no " quoted strings" were needed, and where I used an OrgUnit instead of " " to leave the orgunit blank; it always fails with this same error).
Any magic sauce to get my FortiGate FG100D, FortiOS 5.0.3 firmware to allow me to generate a private key and a Certificate Signing Request, please?
Alternatively, any way I can import a full key+certificate generated completely outside of the FortiGate, to avoid the need to generate a CSR on the FortiGate?
thanks,
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could be a bug ? What various of code? my FWF60D executed the same exact outcome for either ip or domain type certs.
On your last question;
any way I can import a full key+certificate generated completely outside of the FortiGate, to avoid the need to generate a CSR on the FortiGate?
Yes it' s called openssl and you craft your prig-key and car, get the csr signed and then import it into the FGT.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey I played around on a FWF60D after this strike my curiosity.
What I found, the CT ST identifiers have to be correct. Also my unit was failing on c CSR but for some reasons left defunct CSR that was only displaying in the CLI.
e.g
all of these failed CSR are not displayed or have the ability to be deleted within the GUI.
Also add a link to my blog and a post on how to craft a CSR with openssl
http://socpuppet.blogspot.com/2013/04/openssl-trick3-sserver.html
Also add a link to my blog and a post on how to craft a CSR with openssl
http://socpuppet.blogspot.com/2013/04/openssl-trick3-sserver.html
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi emnoc, and many thanks.
I also found that, trying to generate the CSR at the CLI, would leave an orphaned " certificate" , not visible in the GUI (but deleteable easily enough at the CLI).
About generating a key and cert off-box, yes, OpenSSL, etc I' ve used many times in other contexts; what I haven' t found in the context of the FortiGate is documentation explaining the format in which to put a combined private key + certificate so that the FortiGate will import it.
What format did you use from which the FortiGate would successfully import both the certificate and the private key? Is this documented somewhere? (2400 pages of documentation in the Handbook, but not about this...)
-> updated: Well, it is in the Handbook, although only in the context of an example, not actually documented. Handbook v5.0, date July 11, 2013, page 935, example " Generate and Import CA certificate with private key pair on OpenSSL" .
About the certificate State identifier, you noted that " the CT ST identifiers have to be correct" . I' m pretty sure that the information I input, State: Catalunya (and all the rest), is correct. Certainly DigiCert is happy with it in our other certificates. Could you tell us a bit more please about what you found about the ST field?
Thanks!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah. To import a certificate *** and a private key *** the import type is " Certificate" . Wow, how obvious... (Documentation, seriously...)
So, my admin SSL web interface now works fine.
[ getting off-topic here ]
But my SSL VPN...
* on Android, still gives a(n undisclosed) certificate error, but will connect if I give the client the okay to do so
* on Linux, now won' t connect at all. Just says " connecting..." . A packet capture shows an SSL handshake, and then .. nothing.
This Linux behaviour is consistent whether I enter a correct userID+password combination or not. So it' s in the SSL handshake where the Linux SSLVPN client is now getting stuck, where before (using the self-sign cert on the FG100D) it would connect correctly. Sigh.
To prove the point, I switched the FortiGate SSLVPN configuration back to using the self-signed certificate, and the Linux client would again connect, so it' s definitely an issue with how the Linux client deals with a real SSL certificate on the FortiGate SSLVPN server.
Ah, got it. I also had to upload the public CA' s root cert to the FortiGate. Why that should be necessary for the CLIENT to validate a PUBLIC CA' s cert is beyond me, but that seems to have fixed the problem.
Could anyone else confirm a similar experience?
cheers,
Jay
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I also had to upload the public CA' s root cert to the FortiGate
On the latter, you can use openssl and verify against the certificate to verify. I think that' s why the CA needs to be install. It all about certificate chaining and intermediates iirc. Glad it all worked out for you.
I' m still investigating the orphans as you call it and why we don' t have these in the portal.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
D****, I missed that. I thought I' d uploaded the (true) root CA cert, but in fact it was a chained root cert that I uploaded.
I do wish that chained root evaluation were a more standard feature in clients...
thanks,
-Jay
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Got the answer about why the generate commands wouldn' t work.
The simple case was " it works if I don' t try to specify a SAN" .
The more complex case was " FortiOS expects the SAN to be specified explicitly with a content type:content" , e.g. not just " otherhostname.mydomain.com" but " DNS:otherhostname.mydomain.com" , or " email:myemail@address.com" .
Fully specifying the type of the content of the SAN, a colon: and then the content, does work at the CLI and also in the GUI.
I have asked FortiNet to update the CLI ? help, the Handbook and the GUI screen.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good work, and a nice tidbit of information to have ; if generation of a CSR from the CLI or GUI.
What I did earlier when this ticket caught my eye, was to mimic everything in the fortinet factory certs to see what field(s) might have been an issue.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Guys, I want to create a CSR for my fortigate. But when i download it and open it with notepad, i can a blank text. What could be wrong.
Labels
-
FortiGate
9,378 -
FortiClient
1,906 -
5.2
801 -
FortiManager
795 -
5.4
639 -
FortiAnalyzer
608 -
FortiSwitch
513 -
FortiAP
507 -
FortiClient EMS
471 -
6.0
416 -
5.6
362 -
FortiMail
339 -
SSL-VPN
302 -
IPsec
276 -
6.2
251 -
FortiAuthenticator v5.5
234 -
FortiWeb
225 -
FortiNAC
222 -
5.0
196 -
FortiGuard
150 -
SD-WAN
142 -
FortiAuthenticator
132 -
6.4
128 -
Firewall policy
105 -
FortiGateCloud
104 -
FortiSIEM
102 -
FortiCloud Products
102 -
FortiToken
96 -
Wireless Controller
86 -
Customer Service
82 -
FortiProxy
72 -
High Availability
68 -
4.0MR3
64 -
Fortivoice
61 -
FortiEDR
61 -
Routing
58 -
FortiADC
57 -
ZTNA
57 -
VLAN
56 -
DNS
55 -
BGP
52 -
SAML
49 -
RADIUS
48 -
Authentication
48 -
LDAP
48 -
FortiSandbox
47 -
FortiGate-VM
46 -
FortiExtender
46 -
NAT
46 -
Certificate
44 -
SSO
43 -
FortiDNS
42 -
FortiGate v5.4
35 -
VDOM
35 -
FortiSwitch v6.4
34 -
FortiLink
34 -
Application control
34 -
Interface
33 -
FortiConnect
32 -
Logging
31 -
FortiWAN
28 -
Virtual IP
28 -
Web profile
28 -
FortiGate v5.2
26 -
FortiConverter
26 -
FortiPAM
25 -
FortiPortal
23 -
SSL SSH inspection
23 -
FortiGate Cloud
21 -
Traffic shaping
21 -
Static route
21 -
FortiSwitch v6.2
20 -
SSID
20 -
Automation
20 -
SNMP
19 -
FortiMonitor
18 -
WAN optimization
18 -
OSPF
16 -
System settings
16 -
FortiDDoS
15 -
Security profile
15 -
Web application firewall profile
15 -
FortiGate v5.0
14 -
Fortisoar
14 -
FortiCASB
14 -
API
14 -
Admin
14 -
IP address management - IPAM
14 -
IPS signature
13 -
FortiManager v5.0
12 -
Proxy policy
12 -
FortiManager v4.0
11 -
FortiRecorder
11 -
Traffic shaping policy
11 -
FortiAP profile
11 -
Intrusion prevention
11 -
FortiBridge
10 -
Explicit proxy
10 -
Port policy
10 -
Web rating
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiAnalyzer v5.0
9 -
FortiWeb v5.0
9 -
DNS filter
9 -
Traffic shaping profile
9 -
Fabric connector
9 -
FortiDeceptor
8 -
FortiCache
8 -
RMA Information and Announcements
8 -
trunk
8 -
Users
8 -
Antivirus profile
8 -
Fortinet Engage Partner Program
8 -
4.0
7 -
FortiToken Cloud
6 -
Packet capture
6 -
Authentication rule and scheme
6 -
FortiCarrier
5 -
FortiScan
5 -
FortiTester
5 -
Application signature
5 -
DLP profile
5 -
Email filter profile
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
NAC policy
4 -
DLP sensor
4 -
Netflow
4 -
Protocol option
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
VoIP profile
4 -
Multicast routing
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
DLP Dictionary
3 -
DoS policy
3 -
Multicast policy
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
File filter
2 -
Schedule
2 -
Zone
2 -
Vulnerability Management
2 -
FortiEdge Cloud
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Virtual wire pair
1 -
FortiEdge
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2056 | |
| 1173 | |
| 770 | |
| 448 | |
| 341 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.