Many commercial certificate authorities (CAs) provide websites where you can generate your own certificate signing request (CSR). A CSR is an unsigned certificate file that the CA will sign. When a CSR is generated, the associated private key that the appliance will use to sign and/or encrypt connections with clients is also generated.
If your CA does not provide this service, or if you have your own private CA such as a Linux server with OpenSSL, you can use FortiADC to generate a CSR and private key. This CSR can then be submitted for verification and signing by the CA.
Before you begin:
The system creates a private and public key pair. The generated request includes the public key of the FortiADC appliance and information such as the IP address, domain name, or email address. The FortiADC appliance private key remains confidential on the FortiADC appliance. The Status column of the new CSR entry is Pending.
Standard dialogs appear with buttons to save the file at a location you select. Your web browser downloads the certificate request (.csr) file.
After you submit the request to a CA, the CA will verify the information in the certificate, give it a serial number, an expiration date, and sign it with the public key of the CA.
Settings | Guidelines |
---|---|
Generate Certificate Signing Request | |
Certification Name |
Configuration name. Valid characters are Note: This is the name of the CSR file, not the host name/IP contained in the certificate’s |
Subject Information | |
ID Type |
Select the type of identifier to use in the certificate to identify the virtual server:
Depending on your choice for ID Type, related options appear. |
IP Address |
Enter the static IP address of the FortiADC appliance, such as This option appears only if ID Type is Host IP. |
Domain Name |
Enter the FQDN of the FortiADC appliance, such as This option appears only if ID Type is Domain Name. |
Enter the email address of the owner of the FortiADC appliance, such as admin@example.com . This option appears only if ID Type is E-Mail. |
|
Distinguished Information | |
Organization Unit | Name of organizational unit (OU), such as the name of your department. This is optional. To enter more than one OU name, click the + icon, and enter each OU separately in each field. |
Organization | Legal name of your organization. |
Locality (City) | City or town where the FortiADC appliance is located. |
State/Province | State or province where the FortiADC appliance is located. |
Country/Region | Country where the FortiADC appliance is located. |
E-mail address that may be used for contact purposes, such as admin@example.com . |
|
Key Information | |
Key Type |
Select either of the following:
|
Key Size/ Curve Name |
For RSA key, select one of the following key sizes:
Note: Larger keys use more computing resources, but provide better security. For ECDSA, select one of the following curve names:
|
Enrollment Information | |
Enrollment Method |
Online SCEP—The FortiADC appliance automatically uses HTTP to submit the request to the simple certificate enrollment protocol (SCEP) server of a CA, which will validate and sign the certificate. For this selection, two options appear. Enter the CA Server URL and the Challenge Password. |
You can import (upload) the following types of X.509 server certificates and private keys into the FortiADC system:
Before you begin:
Settings | Guidelines |
---|---|
Type |
Click the down arrow and select one of the following options from the drop-down menu:
Note: Additional fields are displayed depending on your selection. |
Local Certificate | |
Certificate File | Browse for and upload the certificate file that you want to use. |
PKCS12 Certificate | |
Certificate Name | Specify the certificate name that can be referenced by other parts of the configuration, such as www_example_com . The maximum length is 35 characters. Do not use spaces or special characters. |
Certificate File | Browse for and upload the certificate file that you want to use. |
Password | Specify the password to encrypt the file in local storage. |
Certificate | |
Certificate Name | Specify the name that can be referenced by other parts of the configuration, such as www_example_com . The maximum length is 35 characters. Do not use spaces or special characters. |
Certificate File | Browse for and upload the certificate file that you want to use. |
Key File | Browse for and upload the corresponding key file. |
Password | Specify the password to encrypt the files in local storage. |