- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Create Local Services Certificate with IP SAN?
Hi All,
FortiAuthenticator on 5.3.1. Trying to create (not sign) certificates in End Entities > Local Services that need Subject Alternative Name set to an IP. However, the GUI only gives me options to create SAN entries for Email, User Principal Name (UPN), URI, or DNS.
Anybody know of a way to create a cert on the FAC with an IP SAN entry?
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
no way to create AFAIK.
If the cert is for device with IP like FortiGate then what about CN=IP ?
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've specified CN=IP when creating the cert, but that isn't sufficient for browsers.
Chrome will still show it as invalid unless you have SAN=IP:1.2.3.4.
I guess I can create it in OpenSSL and import it, but it seems like the FAC should just let you enter the SAN values raw. Maybe time for a feature request.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You know, since the FortiGate allows you to create a CSR with raw SAN text, the FortiAuthenticator, as a CA, should really be able to match it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use openssl and request for a CSR and submit it for signing. Just import the pfx into the fgt and be done. And no you can't use a CN=<ip address> this is what and why the SAN altName field exist
http://socpuppet.blogspot.com/2017/11/cn-and-subject-alternative-names-in.html
and here's sample of URI DNS email altnames
http://socpuppet.blogspot.com/2018/06/strongswan-dynamic-vpnclient-fortios.html
Buttom for web-browsers CNs are not used when a AltName is present. A AltName can be a name ipaddr email URI etc.... or a combination of all ;)
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I can create it in OpenSSL and sign and import it (into the FAC, actually, for this).
This just seemed like something the FAC should be able to do on its own.