System Management : Using certificates : Managing local certificates
 
Managing local certificates
This topic provides the following information on using the System > Certificates > Local page:
“Importing a local certificate”
“Generating a CSR”
“Creating a local certificate group”
Importing a local certificate
You can import (upload) the following types of X.509 server certificates and private keys to the FortiADC system:
Base64-encoded
PKCS #12 RSA-encrypted
Before you begin:
You must have Read-Write permission for System settings.
You must have downloaded the certificate and key files and be able to browse to them so that you can upload them.
To import a local certificate:
1. Go to System > Certificate > Manage Certificates.
2. Click the Local Certificate tab.
3. Click Import to display the configuration editor.
4. Complete the configuration as described in Table 59.
5. Save the configuration.
Table 59: Local certificate import configuration
Settings
Guidelines
Type
Type of certificate file:
Local Certificate—An unencrypted certificate in PEM format.
PKCS12 Certificate—A PKCS #12 password-encrypted certificate with key in the same file.
Certificate—An unencrypted certificate in PEM format. The key is in a separate file.
Additional fields are displayed depending on your selection.
Local Certificate
Certificate File
Browse and locate the certificate file that you want to upload.
PKCS12 Certificate
Certificate Name
Name that can be referenced by other parts of the configuration, such as www_example_com. Do not use spaces or special characters. The maximum length is 35 characters.
Certificate File
Browse and locate the certificate file that you want to upload.
Password
Password that was used to encrypt the file. The FortiADC system uses the password to decrypt and install the certificate.
Certificate
Certificate Name
Name that can be referenced by other parts of the configuration, such as www_example_com. Do not use spaces or special characters. The maximum length is 35 characters.
Certificate File
Browse and locate the certificate file that you want to upload.
Key File
Browse and locate the key file that you want to upload with the certificate.
This option is available when you choose Certificate and the key is in a separate file.
Password
Password that was used to encrypt the file. The FortiADC system uses the password to decrypt and install the certificate.
Generating a CSR
Many commercial certificate authorities (CAs) will provide a web site where you can generate your own certificate signing request (CSR). A CSR is an unsigned certificate file that the CA will sign. When the CSR is generated, the associated private key that the appliance will use to sign and/or encrypt connections with clients is also generated.
If your CA does not provide this, or if you have your own private CA such as a Linux server with OpenSSL, you can use the appliance generate a CSR and private key. This CSR can then be submitted for verification and signing by the CA.
Before you begin:
You must have Read-Write permission for System settings.
To generate a certificate request:
1. Go to System > Certificate > Manage Certificates.
2. Click the Local Certificate tab.
3. Click Generator to display the configuration editor.
4. Complete the configuration as described in Table 60.
5. Save the configuration.
The system creates a private and public key pair. The generated request includes the public key of the FortiADC appliance and information such as the IP address, domain name, or email address. The FortiADC appliance private key remains confidential on the FortiADC appliance. The Status column of the new CSR entry is Pending.
6. Select the row that corresponds to the certificate request.
7. Click Download.
Standard dialogs appear with buttons to save the file at a location you select. Your web browser downloads the certificate request (.csr) file.
8. Upload the certificate request to your CA.
After you submit the request to a CA, the CA will verify the information in the certificate, give it a serial number, an expiration date, and sign it with the public key of the CA.
9. If you are not using a commercial CA whose root certificate is already installed by default on web browsers, download your CA’s root certificate, then install it on all computers that will be connecting to your appliance. (If you do not install these, those computers might not trust your new certificate.)
10. When you receive the signed certificate from the CA, you can import the certificate into the FortiADC system.
 
Table 60: CSR configuration
Settings
Guidelines
Generate Certificate Signing Request
Certification Name
Unique name for the certificate request file, such as www_example_com, that can be referenced in other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters.
Note: This is the name of the CSR file, not the host name/IP contained in the certificate’s Subject: line.
Subject Information
ID Type
Select the type of identifier to use in the certificate to identify the FortiADC appliance:
Host IP—The static public IP address of the FortiADC appliance in the IP field. If the FortiADC appliance does not have a static public IP address, use the email or domain name options instead.
Note: If your network has a dynamic public IP address, you should not use this option. An “Unable to verify certificate” or similar error message will be displayed by users’ browsers when your public IP address changes.
Domain NameThe fully qualified domain name (FQDN) of the FortiADC appliance, such as www.example.com. This does not require that the IP address be static, and may be useful if, for example, your network has a dynamic public IP address and therefore clients connect to it via dynamic DNS. Do not include the protocol specification (http://) or any port number or path names.
E-Mail—The email address of the owner of the FortiADC appliance. Use this if the appliance does not require either a static IP address or a domain name.
The type you should select varies by whether or not your FortiADC appliance has a static IP address, an FQDN, and by the primary intended use of the certificate.
For example, if your FortiADC appliance has both a static IP address and a domain name, but you prefer to make HTTPS connections to the web UI by the domain name, you might prefer to generate a certificate based upon the domain name of the FortiADC appliance, rather than its IP address.
Depending on your choice for ID Type, related options appear.
IP Address
Type the static IP address of the FortiADC appliance, such as 10.0.0.1.
The IP address should be the one that is visible to clients. Usually, this should be its public IP address on the Internet, or a virtual IP that you use NAT to map to the appliance’s IP address on your private network.
This option appears only if ID Type is Host IP.
Domain Name
Type the FQDN of the FortiADC appliance, such as www.example.com.
The domain name must resolve to the IP address of the FortiADC appliance or backend server according to the DNS server used by clients. (If it does not, the clients’ browsers will display a Host name mismatch or similar error message.)
This option appears only if ID Type is Domain Name.
E-mail
Type the email address of the owner of the FortiADC appliance, such as admin@example.com.
This option appears only if ID Type is E-Mail.
Optional Information
Organization Unit
Name of organizational unit (OU), such as the name of your department. This is optional.
To enter more than one OU name, click the + icon, and enter each OU separately in each field.
Organization
Legal name of your organization. This is optional.
Locality (City)
City or town where the FortiADC appliance is located. This is optional.
State/Province
State or province where the FortiADC appliance is located. This is optional.
Country/Region
Country where the FortiADC appliance is located. This is optional.
Email
Email address that may be used for contact purposes, such as admin@example.com. This is optional.
Key Information
Key Type
Displays the type of algorithm used to generate the key.
This option cannot be changed, but it is displayed to indicate that only RSA is currently supported.
Key Size
Select a secure key size of 512 Bit, 1024 Bit, 1536 Bit or 2048 Bit. Larger keys use more computing resources, but provide better security.
Enrollment Information
Enrollment Method
File Based—You must manually download and submit the resulting certificate request file to a CA for signing. Once signed, upload the local certificate.
Online SCEP—The FortiADC appliance automatically uses HTTP to submit the request to the simple certificate enrollment protocol (SCEP) server of a CA, which will validate and sign the certificate. For this selection, two options appear. Enter the CA Server URL and the Challenge Password.