Description
This article describes how to sign a CSR on FortiAuthenticator. FortiAuthenticator can be used to sign a Certificate Sign Request (CSR) generated by other device like a FortiGate.
1. Generating CSR file by Fortigate.
- Go to System -> Certificate, select Create/Import -> Generate CSR.
- Set Certificate Name.
- Select ID Type. You can select: 'Host IP', 'Domain Name' or 'E-Mail'.
Optional Information:
- Organization Unit.
- Organization.
- Locallity(City).
- State / Province.
- Country / Region.
- Email.
- Subject Alternative Name.
- Password for private key.
Select:
- Key Type.
- Key Size.
- Select Enrollment Method: File Based.
- Select 'OK'.
- Fortigate show this certificate file as 'Local Certificate' and Status: 'Pending'.
- Select CSR File, download and save.
2. Generating FortiAuthenticator Certificate Autority (CA).
- Go to Certificate Management -> Certificate Authorities -> Local CAs -> Create New.
- Set Certificate ID.
- Select Certificate Authority Type: Root CA
- Select Subject input method.
- Complete Subject Information.
- Select Key And Signing Options.
Optional:
- Subject Alternative Name.
- Advance Options: Key Usage.
- Certificate Revocation List (CRL).
- Select 'Save'.
- In order to sign a CSR go to Certificate Management -> End Entities -> Users and select Import.
- Select Type: CSR to sing.
- Set Certificate ID.
- Upload CSR File created by Fortigate: CSR_FILE.csr
- Select the Certificate Authority created: FAC_CA
- A Subject Alternative Name can be specified. Note that FortiAuthenticator only supports E-Mail and User Principal Name(UPN).
- Select Import.
- Note: If a CSR is imported with a Subject Alternative Name as DNS or other fields, which is signed by the FortiAuthenticator. Those fields (Subject Alternative Name) will be deleted. Try to sign those CSRs with other CA.
- Also, the purpose of this certificate can be selected, and the key usages needed
- Go to Certificate Management -> End Entities -> Users, select file and 'Export Certificate'.
- The type of this file will be: Security Certificate (.cer)
- File name: Certificate.cer
- Download and save.
3. Importing Signed File: Security Certificate (.cer) to Fortigate
- Go to System -> Certificate -> Create/Import -> Select: 'Certificate' -> Import Certificate.
- Select Type: 'Local Certificate'.
- Certificate file: Certificate.cer
- Select 'Create'.
- After importing Certificate.cer to FortiGate, 'CSR_FILE' with status 'Pending' will change to status 'Valid'.
- It is possible to import CA created: 'FAC_CA' file to FortiGate if needed.
To know about the Certificate, refer to the below documents:
Fortigate Administration Guide / Certificate
FortiAuthenticator Administration Guide / Certificate