Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Kingdaddee
New Contributor

SSL Certificate Issue - Web Portal VPN

I cannot be the first to ever deal with this issue.  

Has anybody ever used a domain (sampledomain.net) and pointed it to their public facing IP address that the firewall is listening on to access the Web-VPN portal?  AND.... bought an SSL Cert and applied to the Firewall?  Validating a certificate by IP address is apparently extremely difficult.  Unless there is a better way.

3 REPLIES 3
emnoc
Esteemed Contributor III

yes import the cert and ca-cert and call that cert up for the webportal. What're the issues that you're having? Did you do the CSR from the fortigate or from somewhere else?

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
PierreBester
New Contributor

Hi Kingdaddee

 

We register a subdomain to our existing domain and added a DNS record for the VPN IP to point to the new subdomain (remoteconnection.sampledomain.net). We then generated a new cert for the subdomain and installed that on the fortigate and then selected that cert in the VPN settings. If im not mistaken you can generate a new cert and add the IP as a subject alternative name.

 

Regards

Pierre Bester

tinyadmin

Hello Kingdaddee,

yes, we have a public signed certificate on our Fortigate, too.

In your case we used a linux computer with openssl tools, created a private key, created a CSR (certificate signing request) and ordered with this CSR a public signed certificate at a CA (certificate authority).

Nearly all of the CAs you can order www.example.com and you get the hostname example.com in the certificates for free...

After getting the signed certificate from the CA we imported this with the private key (stilled stored on the linux-system) on the Fortigate. I used the CLI with SSH (because you can define very simple a speeking name for the certificate/key handle), my coworker use the GUI.

The now created handle you can use for all SSL related configrations within your Fortigate or vdom.

 

Of course you need a DNS-record (A and/or AAAA) with the ip-address of the Fortigate. For testing a line with ip-address and hostname in etc/hosts-file works as well for this one source-system.

 

Thats all...

 

have fun with this

Tinyadmin

Labels
Top Kudoed Authors