Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
skolesar
New Contributor II

Hostname for DV certificate

I'm running a Fortigate 100E and have learned that I need to acquire a DV SSL certificate for use with, among other things, SSL VPN.  I'll be using ZeroSSL, at least to test my practice.

The trouble is, I don't know what to use for Domain.  We have a <company>.com website hosted elsewhere, and our network here is <company>.local.  I'm using an AD CA, server.<company>.local and of course have Fortigate at  router.<company>.local.  Not to mention, all of the internal web sites for various administration cry about INVALID_CERTIFICATION_AUTHORITY

 

Any direction to the right beginner guides would be appreciated.

 

[Sorry, I'm new at this, please correct me if i'm wrong somewhere.  I've never had to deal with administering domain certs before.  Every time I go out to seek an answer, the sources all tangle in my head.]


(¯·._.··¸.-~*´¨¯¨*·~-.Dont Panic.-~*´¨¯¨*·~-.¸··._.·´¯)
(¯·._.··¸.-~*´¨¯¨*·~-.Dont Panic.-~*´¨¯¨*·~-.¸··._.·´¯)
3 REPLIES 3
AlexC-FTNT
Staff
Staff

I'm not very familiar with all the types of certificates either, but since you are using multiple subdomains (server.<comp.local>, router.<comp.local>, etc) it looks like you need a wildcard certificate for all of them (*.company.local) - mind that ".local " may not be something a public CA authority can sign.

If you plan to use this certificate on your  <company.com> domain, you should use <company.com> domain (can also be wildcard if subdomains are expected: *.company.com). If you plan to use a certificate in the .local domain, you may want to create your own certificate. Here's a decent read: https://letsencrypt.org/docs/certificates-for-localhost/


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
skolesar
New Contributor II

I wouldn't describe them as subdomains, but hosts on <comp.local>.

I abandoned this of frustration, need to 'block non-company-owned machines from using VPN', and docs point to using computer certificates.

I believe that (again correct me), if I register a Wilcard or DV certificate from my Domain controller running Cert Authority to an ISP CA, I can then run all of my other servers or web consoles through that.  From that I ask, do my internet-facing equipment (Fortinet VPN, PBX software) use that CA, or need to reach out to an Internet-based CA?

 

(¯·._.··¸.-~*´¨¯¨*·~-.Dont Panic.-~*´¨¯¨*·~-.¸··._.·´¯)
(¯·._.··¸.-~*´¨¯¨*·~-.Dont Panic.-~*´¨¯¨*·~-.¸··._.·´¯)
pminarik
Staff
Staff

A couple notes from practical and theoretical perspective:

 

1, No public CA will issue a certificate for .local. It's a special TLD designated for use in multicast DNS and zeroconf, but Microsoft at some point in the past used to suggest <something>.local as a domain for small networks. (which might be why you ended up using it, I assume?)

 

2, Domain name validation, before a certificate is issued, is usually done by the issuing CA doing something (send an email to @domain, request a special file at x.domain.com, query DNS server for TXT record at .domain.com, etc.) with that domain name to ensure that you have control over that domain. Since your .local exists only locally for you, such verification would be impossible.

 

3, The chosen domain name needs to be resolvable to any client on the internet. Remember that your users do not have access to your local DNS before they connect to the VPN, so your DNS server with your <x>.local domain records will not be reachable to them before they connect to the VPN.

 

in short: use <something-mentioning-vpn>.company.com :)

[ corrections always welcome ]
Labels
Top Kudoed Authors