FortiAuthenticator as a Certificate Authority

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

For this recipe, you will configure the FortiAuthenticator as a Certificate Authority (CA). This will allow the FortiAuthenticator to sign certificates that the FortiGate will use to secure administrator GUI access.

This scenario includes creating a certificate request on the FortiGate, downloading the certificate to the network’s computers, and then importing it to the FortiAuthenticator. You will sign the certificate with the FortiAuthenticator’s own certificate, then download and import the signed certificate back to the FortiGate.

The process of downloading the certificate to the network’s computers will depend on which web browser you use. Internet Explorer and Chrome use one certificate store, while Firefox uses another. This configuration includes both methods.

1. Creating a new CA on the FortiAuthenticator

On the FortiAuthenticator, go to Certificate Management > Certificate Authorities > Local CAs and create a new CA.

Enter a Certificate ID, select Root CA certificate, and configure the key options as shown in the example.

Once created, highlight the certificate and select Export.

This will save a .crt file to your local drive.

2. Installing the CA on the network

The certificate must now be installed on the computers in your network as a trusted root CA. The steps below show different methods of installing the certificate, depending on your browser.

Internet Explorer and Chrome

In Windows Explorer, right-click on the certificate and select Install Certificate. Open the certificate and follow the Certificate Import Wizard.

Make sure to place the certificate in the Trusted Root Certification Authorities store.

Finish the Wizard, and select Yes to confirm and install the certificate.

Firefox

In the web browser, go to Options > Advanced > Certificates and select View Certificates.

In the Authorities tab, select Import.

Find and open the root certificate.

You will be asked what purposes the certificate will be trusted to identify. Select all options, and select OK.

3. Creating a CSR on the FortiGate

On the FortiGate, go to System > Certificates and select Generate to create a new certificate signing request (CSR).

Enter a Certificate Name, the Internet facing IP address of the FortiGate, and a valid email address, then configure the key options as shown in the example.

Once created, the certificate will show a Status of Pending. Highlight the certificate and select Download.

This will save a .csr file to your local drive.

4. Importing and signing the CSR on the FortiAuthenticator

Back on the FortiAuthenticator, go to Certificate Management > End Entities > Users and import the .csr certificate created earlier.

Make sure to select the Certificate authority from the dropdown menu and set the Hash algorithm to SHA-256, as configured earlier.

Once imported, you should see that the certificate has been signed by the FortiAuthenticator, with a Status of Active. Highlight the certificate and select Export Certificate.

This will save a .cer file to your local drive.

5. Importing the local certificate to the FortiGate

Back on the FortiGate, go to System > Certificates and select Local Certificate from the Import dropdown menu.

Browse to the .cer certificate you just created. Select Open and then select OK.

You should now see that the certificate’s Status has changed from Pending to OK. You may have to refresh your page to see the status change.

6. Configuring the certificate for the GUI

Go to System > Admin > Settings.

Under Administration Settings, set HTTPS Server Certificate to the certificate created/signed earlier, then select Apply.

7. Results

Close and reopen your browser, and go to the FortiGate admin login page. If you click on the lock icon next to the address bar, you should see that the certificate has been signed and verified by the FortiAuthenticator. As a result, no certificate errors will appear.

Adam Bristow

Adam Bristow

Technical Writer at Fortinet
Adam Bristow is a Technical Writer working for the FortiOS technical documentation team. He has a Honours Bachelor of Arts in English and Minor in Film Studies and a graduate certificate in Technical Writing from Algonquin College. Stay tuned for more FortiOS Cookbook videos!
Adam Bristow

Latest posts by Adam Bristow (see all)

  • Was this helpful?
  • Yes   No
  • Cascadia89

    Tried this with FAC
    v4.00-build0073-20160324-patch00, and FG v5.4.0,build1011. Everything works except for the last step. When I attempt to select the cert for GUI usage, I receive an “Entry Not Found” error. Also I think you neglected to explain to import the CA cert exported from the FAC as a External CA Cert on the FG?

    I tried generating the CSR with the FG LAN IP, email address, and resolvable FQDN. But all post the same error.

    • Adam Bristow

      Hello, thank you for your comment,

      I should have specified that you should enter the Internet facing IP address of the FortiGate, and not the LAN IP address – this is the IP address I used in this configuration.

      Also, at this time, this configuration has not been successfully tested on a FortiGate running FortiOS version 5.4.