Description
This article describes why a valid SSL certificate is necessary and how to Install the newly generated certificate on FortiGate for HTTPS access and SSL VPN.
Scope
FortiGate v7.0.x and later.
Solution
The Certificate can be used for client and server authentication based on requirements and the certificate types.
There are Four Different sections of the certificate on Fortigate Local CA Certificate, Local Certificate, Remote CA Certificate, Remote Certificate.
To open Certificate Panel:
Go to System -> Certificate, If the certificate feature is not enabled, go to System -> Feature Visibility and enable the Certificate.
Local CA Certificate:
As the name implies these are the default certificates that are generated the first time when the FortiGate is booted up. These certificates are generally used for SSL Inspection.
Local Certificate:
This section consists of the default certificate and any other certificate which is installed on FortiGate with the private key, so either (PEM + Private Key) or PKCS12 format certificate, It also contains self-signed certificates.
General Example:
Fortigate GUI Certificate, SSL VPN Certificate, Site to Site VPN Local Certificate, Virtual server Certificate used for SSL Offloading, and so on.
Remote CA Certificate:
FortiGates already comes with many CA certificates from well-known certificate authorities pre-installed, but if any other CA certificate that FortiGate should trust is installed but is not from well well-known CA, it comes under the 'Remote CA Certificate' Section, General Example: LDAPS, Site to Site with PKI authentication in place of peer certificate, remote CA is used to trust the certificate which is sent by VPN peer for authentication, Similarly PKI user CA (Connecting with SSL VPN and ), FSSO Trusted SSL Certificate and so on.
Remote Certificate:
To install any certificate in PEM format without any private key, choose the Remote Certificate ( It is similar to the Remote CA Certificate but not exactly the same, as uploading the end-identity).
General Example:
Using an IDP or SP certificate in SSO Configuration based on the Fortigate Mode (SP or IDP), FSSO Trusted SSL Certificate, and so on.
SSL VPN and HTTPS Certificate:
When the SSL VPN is configured or the HTTPS access is enabled on the FortiGate Wan Interface, it uses the default FortiGate certificate, and it gives an error because the machine or the end client does not trust the certificate as the FortiGate CA is not installed on machines.
Often, when a user receives a security certificate warning, the user simply selects 'Continue' without understanding why the error is occurring.
To avoid encouraging this habit, it is possible to prevent the warning from appearing in the first place:
Note:
The SSL VPN certificate is an identity certificate of FortiGate and not for certificate authentication.
To use certificate authentication, install an identity certificate on the client machine and a CA certificate on FortiGate.
To overcome this, generate an SSL certificate with a 'Domain-name' associated with the Public (WAN) IP, signed by a well-known Third-party signed authority.
Firstly, a domain name will be necessary to purchase the A record for the public IP, else there's another option with a valid FortiGuard subscription, FortiDDNS can be used to register a domain name:
Note:
In modern browsers, the certificate needs to contain the address used to access the GUI.
This IP or FQDN needs to be included in the Subject Alternative Name (SAN) field of the certificate. (It is applicable for a Certificate Signed by Internal CA also).
For example:
FortiGate accessed via https://192.0.2.1/... → Certificate SAN must include 192.0.2.1.
FortiGate accessed via https://firewall.mydomain.com/... → Certificate SAN must include firewall.mydomain.com (or *.mydomain.com).
For the sake of completeness, the other usual certificate requirements are still in place (Non-exhaustive list: the certificate must be within its validity period, must be signed by a CA trusted by the client-device, should not use SHA1 signature(no longer trusted).
- Generate CSR from FortiGate:
Go to System -> Certificate -> Create/Import -> Generate CSR.
Select the newly generated CSR and download the file:
Note:
Generate the CSR from any 3rd party server but at the time of the installation, there will be the certificate in PFX or PKCS12 or else a PEM format certificate with a Private key file.
Related documents:
Technical Tip: Adding SAN(Subject Alternative Name) while generating CSR(Certificate Signing Request...
Technical Tip: How to sign a certificate with Subject Alternate Name (SAN)
Using the default certificate for HTTPS administrative access - More info on SAN.
-
After the CSR is generated, go to the chosen vendor site upload the CSR, and get the certificate, it is possible to check the vendor guide regarding the process.
-
Once there is the certificate, follow the below steps to Install the Procured certificate.
After getting the certificate issuance ZIP file, extract the file(s) contained in the ZIP file to the server. It is recommended to extract these to the Desktop or a new directory altogether.
Certificates will be mostly in the below four formats:
PEM, PKCS7: the private key file will be needed to install the certificate if CSR is not generated by FortiGate else PEM file is enough.
PFX, PKCS12: It requires the paraphrase or passcode to install.Also, Intermediate and root CA will be obtained, generally, all 3rd party root CA is already present in FortiGate by default.
Importing the SSL Certificate:
The first scenario CSR is generated by FortiGate:
PEM/PKCS7/CER: If the CSR is generated from Fortigate then PEM, PKCS7 or .cer format cert will only be required.
Go to System -> Certificate -> Create/Import -> Certificate -> Import Certificate, select type as Local Certificate, upload the PEM Certificate, and select 'Create'. The certificate will be generated.
The second scenario is if the CSR was generated using 3rd party server and there is a PEM file:
PEM/PKCS7/CER and Private key: if the CSR was generated using 3rd party server and the certificate provided by the CA vendor is in PEM format, the Private key file will be necessary with the PEM file.
Go to System -> Certificate -> Create/Import -> Certificate -> Import Certificate, select the type as Certificate, Import the PEM cert with Private key, Create the password, add the certificate name, and select 'Create'. The certificate will be uploaded.
Note:
The password here is something created by the user. It is possible to use any numeric or alphanumeric string, basically, the password here is being used to merge the PEM and Private key.
The third Scenario is if the CSR was generated using 3rd party server and there is a PFX/PKCS12 format certificate:
PFX, PKCS12: If there is the PFX certificate, the paraphrase or password to install the Certificate that will be provided by the CA vendor will be needed.
Go to System -> Certificate -> Create/Import -> Certificate -> Import Certificate, select the type as PKCS12, upload the certificate, use the Password/Paraphrase provided by the CA vendor, and select 'Create'. The certificate will be uploaded.
Once the certificate is uploaded, it is possible to select the uploaded certificate for HTTPS access and SSL VPN.
Go to System -> Settings -> HTTPS server certificate, select the certificate and apply.
Go to VPN -> SSL VPN settings -> Server certificate, select the certificate, and apply.
The error is not appearing.
Note:
If the certificate is generated by a local CA, it will be necessary to install the CA certificate on the machine.
It is possible to use an Automated Certificate Management Environment (ACME) and get a free SSL certificate from the public Let's Encrypt certificate authority (https://letsencrypt.org), for more info check the below guide:
Automatically provision a certificate
https://www.rfc-editor.org/rfc/rfc8555
To use Microsoft Intermediate CA for Deep SSL Inspection Certificate check below guide:
Microsoft CA deep packet inspection
To regenerate the default certificate check the below guide:
Regenerate default certificates
Guide to FortiGate and certificate issues:
Troubleshooting Tip: A guide to FortiGate and cert... - Fortinet Community
