Hi emnoc, and many thanks.
I also found that, trying to generate the CSR at the CLI, would leave an orphaned " certificate" , not visible in the GUI (but deleteable easily enough at the CLI).
About generating a key and cert off-box, yes, OpenSSL, etc I' ve used many times in other contexts; what I haven' t found in the context of the FortiGate is documentation explaining the format in which to put a combined private key + certificate so that the FortiGate will import it.
What format did you use from which the FortiGate would successfully import both the certificate and the private key? Is this documented somewhere? (2400 pages of documentation in the Handbook, but not about this...)
-> updated: Well, it is in the Handbook, although only in the context of an example, not actually documented. Handbook v5.0, date July 11, 2013, page 935, example " Generate and Import CA certificate with private key pair on OpenSSL" .
About the certificate State identifier, you noted that " the CT ST identifiers have to be correct" . I' m pretty sure that the information I input, State: Catalunya (and all the rest), is correct. Certainly DigiCert is happy with it in our other certificates. Could you tell us a bit more please about what you found about the ST field?
Thanks!