Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Attempt to generate a CSR, errors " The imported ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Attempt to generate a CSR, errors " The imported local certificate is invalid"
I' m trying to generate a Certificate Signing Request for a new Local Certificate (which I would then send to a real CA) so that I can have a proper SSL Certificate for SSLVPN use as well as Admin web GUI use.
Steps:
Go to System -> Certificates -> Local Certificates, click on Generate, fill in this data:
Certificate Name: SPFGSSLVPNcrt3
ID Type: Domain Name
Domain name: fgsslvpn.socialpoint.es
Org Unit: <empty>
Org: Social Point, S.L.
Locality: Barcelona
State: Catalunya
Country: Spain
email: security@socialpoint.es
SAN: rpv.socialpoint.es
Type: RSA
Bits: 2048
Enrollment method: File Based
click OK, get error " The imported local certificate is invalid" .
That' s particularly weird, because I haven' t imported a certificate - I' m trying to generate a new private key inside the FG100D and create a .CSR.
Attempting to generate a CSR from the CLI similarly fails:
FG100D3G13807731 # execute vpn certificate local generate SPFGSSLVPNcrt3 2048 spfgsslvpn.socialpoint.es Spain Catalunya Barcelona " Social Point, S.L." " " security@socialpoint.es rpv.socialpoint.es
Generating a 2048 bit RSA private key
Generating X.509 certificate
failed to create extension: -4
problems making Certificate Request
Certificate generation failed
Done.
(I also tried variations where no " quoted strings" were needed, and where I used an OrgUnit instead of " " to leave the orgunit blank; it always fails with this same error).
Any magic sauce to get my FortiGate FG100D, FortiOS 5.0.3 firmware to allow me to generate a private key and a Certificate Signing Request, please?
Alternatively, any way I can import a full key+certificate generated completely outside of the FortiGate, to avoid the need to generate a CSR on the FortiGate?
thanks,
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could be a bug ? What various of code? my FWF60D executed the same exact outcome for either ip or domain type certs.
On your last question;
any way I can import a full key+certificate generated completely outside of the FortiGate, to avoid the need to generate a CSR on the FortiGate?
Yes it' s called openssl and you craft your prig-key and car, get the csr signed and then import it into the FGT.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey I played around on a FWF60D after this strike my curiosity.
What I found, the CT ST identifiers have to be correct. Also my unit was failing on c CSR but for some reasons left defunct CSR that was only displaying in the CLI.
e.g
all of these failed CSR are not displayed or have the ability to be deleted within the GUI.
Also add a link to my blog and a post on how to craft a CSR with openssl
http://socpuppet.blogspot.com/2013/04/openssl-trick3-sserver.html
Also add a link to my blog and a post on how to craft a CSR with openssl
http://socpuppet.blogspot.com/2013/04/openssl-trick3-sserver.html
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi emnoc, and many thanks.
I also found that, trying to generate the CSR at the CLI, would leave an orphaned " certificate" , not visible in the GUI (but deleteable easily enough at the CLI).
About generating a key and cert off-box, yes, OpenSSL, etc I' ve used many times in other contexts; what I haven' t found in the context of the FortiGate is documentation explaining the format in which to put a combined private key + certificate so that the FortiGate will import it.
What format did you use from which the FortiGate would successfully import both the certificate and the private key? Is this documented somewhere? (2400 pages of documentation in the Handbook, but not about this...)
-> updated: Well, it is in the Handbook, although only in the context of an example, not actually documented. Handbook v5.0, date July 11, 2013, page 935, example " Generate and Import CA certificate with private key pair on OpenSSL" .
About the certificate State identifier, you noted that " the CT ST identifiers have to be correct" . I' m pretty sure that the information I input, State: Catalunya (and all the rest), is correct. Certainly DigiCert is happy with it in our other certificates. Could you tell us a bit more please about what you found about the ST field?
Thanks!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah. To import a certificate *** and a private key *** the import type is " Certificate" . Wow, how obvious... (Documentation, seriously...)
So, my admin SSL web interface now works fine.
[ getting off-topic here ]
But my SSL VPN...
* on Android, still gives a(n undisclosed) certificate error, but will connect if I give the client the okay to do so
* on Linux, now won' t connect at all. Just says " connecting..." . A packet capture shows an SSL handshake, and then .. nothing.
This Linux behaviour is consistent whether I enter a correct userID+password combination or not. So it' s in the SSL handshake where the Linux SSLVPN client is now getting stuck, where before (using the self-sign cert on the FG100D) it would connect correctly. Sigh.
To prove the point, I switched the FortiGate SSLVPN configuration back to using the self-signed certificate, and the Linux client would again connect, so it' s definitely an issue with how the Linux client deals with a real SSL certificate on the FortiGate SSLVPN server.
Ah, got it. I also had to upload the public CA' s root cert to the FortiGate. Why that should be necessary for the CLIENT to validate a PUBLIC CA' s cert is beyond me, but that seems to have fixed the problem.
Could anyone else confirm a similar experience?
cheers,
Jay
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I also had to upload the public CA' s root cert to the FortiGate
On the latter, you can use openssl and verify against the certificate to verify. I think that' s why the CA needs to be install. It all about certificate chaining and intermediates iirc. Glad it all worked out for you.
I' m still investigating the orphans as you call it and why we don' t have these in the portal.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
D****, I missed that. I thought I' d uploaded the (true) root CA cert, but in fact it was a chained root cert that I uploaded.
I do wish that chained root evaluation were a more standard feature in clients...
thanks,
-Jay
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Got the answer about why the generate commands wouldn' t work.
The simple case was " it works if I don' t try to specify a SAN" .
The more complex case was " FortiOS expects the SAN to be specified explicitly with a content type:content" , e.g. not just " otherhostname.mydomain.com" but " DNS:otherhostname.mydomain.com" , or " email:myemail@address.com" .
Fully specifying the type of the content of the SAN, a colon: and then the content, does work at the CLI and also in the GUI.
I have asked FortiNet to update the CLI ? help, the Handbook and the GUI screen.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good work, and a nice tidbit of information to have ; if generation of a CSR from the CLI or GUI.
What I did earlier when this ticket caught my eye, was to mimic everything in the fortinet factory certs to see what field(s) might have been an issue.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Guys, I want to create a CSR for my fortigate. But when i download it and open it with notepad, i can a blank text. What could be wrong.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- NAC - isolation vlan firewall rules... 71 Views
- EAP-TLS request not reaching FAC 117 Views
- Forticlient bug: Does not check C++... 75 Views
- Forticlient ems ipsec problems 183 Views
- ACME Clarification 309 Views
Labels
-
FortiGate
8,465 -
FortiClient
1,713 -
5.2
801 -
FortiManager
712 -
5.4
639 -
FortiAnalyzer
547 -
FortiAP
457 -
FortiSwitch
456 -
6.0
416 -
FortiClient EMS
407 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
220 -
FortiWeb
199 -
5.0
196 -
IPsec
186 -
FortiNAC
176 -
FortiGuard
136 -
6.4
128 -
SD-WAN
110 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
84 -
Customer Service
78 -
Wireless Controller
75 -
Firewall policy
70 -
4.0MR3
64 -
FortiProxy
59 -
FortiADC
53 -
Fortivoice
52 -
High Availability
52 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiExtender
44 -
FortiSandbox
43 -
FortiDNS
42 -
DNS
40 -
Routing
39 -
BGP
38 -
LDAP
38 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
33 -
Authentication
31 -
SSO
31 -
Interface
31 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
Web profile
23 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiPortal
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
FortiSOAR
13 -
SSID
13 -
Static route
13 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1660 | |
| 1077 | |
| 752 | |
| 443 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.