FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jmacdonaldplante
Description

In the FortiGate GUI, the Subject Alternative Name text field does allows multiple items to be entered (comma delimited), the text field itself has a 60 character limit.  Considering that each SAN entered also needs an Identifier, this limit can be easily hit in just a name or two.

This article explains how to generate a CSR in the FortiGate CLI instead in order to overcome this limit.


Solution

To get around this limitation when needed, you can use the 'execute vpn certificate [store] generate [...]' CLI command. This command is run from Global when VDOMs are in use.

Command Syntax

execute vpn certificate [store] generate [encryption_method] [cert_name] [key_size] [CN] [Country] [State/Province] [Org] [City] [OU] [email] [SANs - optional]

Command Options

store: ca, crl, local, remote
encryption_method: rsa, ec
cert_name: Name for Certificate, purely meant as an indentifier
key_Size: Key Encyrption Size, Options are 1024, 1536, and 2048
CN: Common Name, the name the certificate is signed for
Country: Country name or Country Code
State/Province: State or Province Name
Org: Organization Name
City: City Name
OU: Organizational Unit, similar to Directories in a Directory Service
email: Email address for IT Contact
SANS: Other accepted names, should include CN if CN is to be accepted

SAN Syntax

Email: email:admin@companyname.com
IP Address: IP:1.1.1.1
URL: URI:http://companyname.com
DNS Name: DNS:www.companyname.com

Example

execute vpn certificate local generate rsa test_cert 2048 companyname.com CA Ontario Ottawa IT,Certificates admin@companyname.com DNS:companyname.com,DNS:www.companyname.com,DNS:vpn.jason.com

Certificate Name: test_cert
Key Size: 2048
CN: companyname.com
Country: CA (Canada)
State/Province: Ontario
City: Ottawa
OU: <root> > IT > Certificates
Email: admin@companyname.com
SANS:
>DNS Name=companyname.com
>DNS Name=www.companyname.com
>DNS Name=vpn.companyname.com



Related Articles

Generate CSR via CLI when Subject Alternative Name field is long (FortiOS 5.0)

Contributors