Fortinet Community

JP20xx · ‎06-30-2022

Im trying to sign a CSR generated by a Fortigate FW. Unfortunately the signed certificate does not show as an option in the SSL inspection profile. Does anyone knows the how to sign the CSR with OpenSSL/Linux?

kcheng · ‎07-01-2022

Hi @JP20xx

In order to use a certificate for SSL inspection profile (whether it is certificate inspection/deep inspection), the respective certificate has to be a sub-CA certificate. This means that the certificate will need to have the Basic Constraints stating CA:TRUE. Some references that you can find in our community explain the respective:

https://community.fortinet.com/t5/FortiGate/Technical-Note-SSL-inspection-on-multiple-FortiGates-usi...

https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/518006/using-a-ca-signed-certificate

I've not personally tried creating a sub-CA certificate using OpenSSL, but the following third-party steps look legit to me. You may want to give it a check:

https://mivilisnet.wordpress.com/2020/06/03/how-to-make-subordinate-ca-using-openssl/

Cheers,
Kayzie Cheng

lestopace · ‎07-02-2022

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Generate-and-sign-certificates-using-OpenS...

If I'm not mistaken, you just need to follow step 1 then upload it to your FortiGate as CA certificate along with the private key.

Lemuel

Fortinet Community

Sing a fortigate CSR with OpenSSL (Linux)