FortiAuthenticator
FortiAuthenticator provides access management and single sign on.
cramirez
Staff
Staff
Article Id 194832

Description

This article describes how to sign a CSR on FortiAuthenticator. FortiAuthenticator can be used to sign a Certificate Sign Request (CSR) generated by other device like a FortiGate.

 

1. Generating CSR file by Fortigate.

 

  • Go to System -> Certificate, select Create/Import -> Generate CSR.

 

110.png

 

  • Set Certificate Name.
  • Select ID Type. You can select: 'Host IP', 'Domain Name' or 'E-Mail'.

Optional Information:

 

  • Organization Unit.
  • Organization.
  • Locallity(City).
  • State / Province.
  • Country / Region.
  • Email.
  • Subject Alternative Name.
  • Password for private key.

Select:

  • Key Type.
  • Key Size.
  • Select Enrollment Method: File Based.
  • Select 'OK'.

 

111.png

 

  • Fortigate show this certificate file as 'Local Certificate' and Status: 'Pending'.

112.png

 

  • Select CSR File, download and save.

2. Generating FortiAuthenticator Certificate Autority (CA).

 

  • Go to Certificate Management -> Certificate Authorities -> Local CAs -> Create New.

113.png

 

  • Set Certificate ID.
  • Select Certificate Authority Type: Root CA
  • Select Subject input method.
  • Complete Subject Information.
  • Select Key And Signing Options.

Optional:

  • Subject Alternative Name.
  • Advance Options: Key Usage.
  • Certificate Revocation List (CRL).
  • Select 'Save'.

114.png

 

115.png

 

  • In order to sign a CSR go to Certificate Management -> End Entities -> Users and select Import.
  • Select Type: CSR to sing.
  • Set Certificate ID.
  • Upload CSR File created by Fortigate: CSR_FILE.csr
  • Select the Certificate Authority created: FAC_CA
  • A Subject Alternative Name can be specified. Note that FortiAuthenticator only supports E-Mail and User Principal Name(UPN). 
  • Select Import.

116.png

 

 

  • Note: If a CSR is imported with a Subject Alternative Name as DNS or other fields, which is signed by the FortiAuthenticator. Those fields (Subject Alternative Name) will be deleted. Try to sign those CSRs with other CA.
  • Also, the purpose of this certificate can be selected, and the key usages needed

  

117.png

 

  • Go to Certificate Management -> End Entities -> Users, select file and 'Export Certificate'.
  • The type of this file will be: Security Certificate (.cer)
  • File name: Certificate.cer
  • Download and save.

3. Importing Signed File: Security Certificate (.cer) to Fortigate

 

  • Go to System -> Certificate -> Create/Import -> Select: 'Certificate' -> Import Certificate.

 

118.png

 

  • Select Type: 'Local Certificate'.
  • Certificate file: Certificate.cer
  • Select 'Create'.

119.png

 

120.png

 

  • After importing Certificate.cer to FortiGate, 'CSR_FILE' with status 'Pending' will change to status 'Valid'.

 

121.png

 

 

  • It is possible to import CA created: 'FAC_CA' file to FortiGate if needed.

To know about the Certificate, refer to the below documents:

Fortigate Administration Guide / Certificate

FortiAuthenticator Administration Guide / Certificate