Generating a CSR and Getting It Signed by a CA

Most CA vendors provide a means of generating a Certificate Signing Request (CSR) on their websites, and we recommend that you use the CA website to generate the CSR. For several good tutorials on how to get your certificates signed, please see:

A CSR can also be generated using the OpenSSL tools on any system, including Windows. The examples below were executed on a Windows system with the OpenSSL tools installed.

Note that only the most basic openssl command options are shown in these examples. See the openssl(1) and req(1) manual pages for the SSL implementation on your system for more information.

Generating a CSR using OpenSSL

Navigate to an appropriate directory on your system, and create a new directory to hold your CSR, certificate, and private key.
Generate the CSR by entering this command:

openssl req -new -newkey rsa:1024 -out cert.csr

This begins an interactive session to generate a CSR, and also generates a new private key to be output into a file named privkey.pem. If you already have a private key, use -key filename (instead of -newkey rsa:1024) to specify the file containing the private key.

It is recommended that you do not share your private key.

	It is recommended that you do not share your private key.

After generating the private key, the following prompts are displayed (example responses shown):

Enter PEM pass phrase: <password>

Verifying - Enter PEM pass phrase: <password>

Country Name (2 letter code) [AU]:US

State or Province Name (full name) [Some-State]:New York

Locality Name (eg, city) []:Millerton

Organization Name (eg, company) [Internet Widgits Pty Ltd]:CPS Inc.

Organizational Unit Name (eg, section) []:Engineering

Common Name (eg, YOUR name) []:mycluster.example.com

Email Address []:admin@example.com

Make sure you remember the password you specify, as you will need it to install and use the certificate.

For a server certificate, the Common Name provided must be the DNS-resolvable fully qualified domain name (FQDN) used by the cluster. When a client receives the certificate from the server, the client browser will display a warning if the Common Name does not match the hostname of the request URI.

For a client certificate, the Common Name in the client’s copy of the certificate is only compared to the Common Name in the copy of the client certificate on the server, so Common Name can be any value.

Visit the website of an SSL Certificate Authority (CA) to submit the cert.csr file to the CA.
Once the CA returns your signed certificate (usually in email), go to Generating a Self-Signed Certificate for more information.

Generating a CSR and Installing a Certificate on Windows Using IIS

Using Internet Information Services (IIS) is optional when creating and managing certificates for FortiADC Layer 7 HTTPS clusters and clients. In fact, one of the advantages of using FortiADC is that only one server certificate is required for an HTTPS cluster. The cluster certificate is installed on FortiADC, not on the servers in the HTTPS cluster. So, you do not need to use IIS on each server to create and install certificates. This reduces the amount of effort spent administering server certificates.

For Layer 4 TCP and UDP clusters, certificates are not installed on FortiADC, and you will need to install a server certificate on each server in the cluster (since FortiADC is not doing any HTTPS/SSL processing in Layer 4).

Please refer to the IIS documentation from Microsoft.for descriptions for generating a CSR and installing a signed certificate on Windows using IIS.