Chapter 8: System Management > Managing local certificate

Managing local certificates

This section includes the following information:

Overview

While requesting secure administrator access to a FortiDDoS device via HTTPS, the device uses SSL protocol to ensure that all communication between the device and the HTTP browser is secure no matter which client application is used. Regarding basic authentication made by an HTTP client, the device will use its self-signed security certificate to allow authentication whenever HTTPS is initiated by the client.

Note: The self-signed certificate proposal is the default setting on the device.

The HTTP browser notices the following discrepancies:

To avoid the triggering of these messages in the scenario where you don't require your HTTP browser to 'Permanently store this exception':

Once the security exception is confirmed, the login page will be displayed. All the data sent to the device is encrypted and a HTTPS connection is created without reading the self-signed certificate proposal. Once the HTTP browser has permanently stored this exception, the exception prompt is not shown again. If the HTTP client declines the certificate, then the device does not allow the connection.

If you want to avoid these warnings and have a custom certificate, you must assign a host name to the appliance, generate a key pair and certificate request and import the certificate from a signing authority.

Generating a Certificate Signing Request (CSR)

FortiDDoS allows you to generate CSRs that you can send to a CA to sign and give you a signed certificate. FortiDDoS creates a key pair that it keeps in a protected storage and is later used for SSL.

Before you begin:

• You must have Read-Write permission for System settings.

To generate a certificate request:

  1. Go to System > Certificate > Local Certificates.
  2. Click Generate to display the configuration editor.
  3. Complete the configuration as described in the Table 94.
  4. Save the configuration.

    The system creates a private and public key pair. The generated request includes the public key of the FortiDDoS appliance and information such as the IP address, domain name, or email address. The FortiDDoS appliance private key remains confidential in the FortiDDoS appliance. The Status column of the new CSR entry is Pending.

  5. Select the row that corresponds to the certificate request.
  6. Click Download.

    Standard dialogs appear with buttons to save the file to the location you select. Your web browser downloads the certificate request (.csr) file.

  7. Upload the certificate request to your CA.

    After you submit the request to a CA, the CA will verify the information in the certificate, give it a serial number, an expiration date, and sign it with the public key of the CA.

  8. If you are not using a commercial CA whose root certificate is already installed by default on web browsers, download your CA’s root certificate, then install it on all computers that will be connecting to your appliance. (If you do not install these, those computers might not trust your new certificate.)
  9. When you receive the signed certificate from the CA, you can import the certificate into the FortiDDoS system.

 

 Table 85:   CSR configuration
Settings Guidelines
Generate Certificate Signing Request
Certification Name

Configuration name. Valid characters are A-Z,a-z,0-9,_, and -. No spaces. The maximum length is 35 characters.

Note: This is the name of the CSR file, not the host name/IP contained in the certificate’s Subject: line.

Subject Information
ID Type

Select the type of identifier to use in the certificate to identify the virtual server:

  • Host IP—The static public IP address of the FortiDDoS virtual server in the IP Address field. If the FortiDDoS appliance does not have a static public IP address, use the email or domain name options instead.

    Note: If your network has a dynamic public IP address, you should not use this option. An “Unable to verify certificate” or similar error message will be displayed by users’ browsers when your public IP address changes.

  • Domain Name—The fully qualified domain name (FQDN) of the FortiDDoS virtual server, such as www.example.com. This does not require that the IP address be static, and may be useful if, for example, your network has a dynamic public IP address and therefore clients connect to it via dynamic DNS. Do not include the protocol specification (http://) or any port number or path names.
  • E-Mail—The email address of the owner of the FortiDDoS virtual server. Use this if the virtual server does not require either a static IP address or a domain name.

Depending on your choice for ID Type, related options appear.

IP Address

Type the static IP address of the FortiDDoS appliance, such as 10.0.0.1.The IP address should be the one that is visible to clients. Usually, this should be its public IP address on the Internet, or a virtual IP that you use NAT to map to the appliance’s IP address on your private network.

This option appears only if ID Type is Host IP.

Domain Name

Type the FQDN of the FortiDDoS appliance, such as www.example.com. The domain name must resolve to the IP address of the FortiDDoS appliance or backend server according to the DNS server used by clients. (If it does not, the clients’ browsers will display a Host name mismatch or similar error message.)

This option appears only if ID Type is Domain Name.

E-mail

Type the email address of the owner of the FortiDDoS appliance, such as admin@example.com.

This option appears only if ID Type is E-Mail.
Distinguished Information
Organization Unit Name of organizational unit (OU), such as the name of your department. This is optional. To enter more than one OU name, click the + icon, and enter each OU separately in each field
Organization Legal name of your organization.
Locality (City) City or town where the FortiDDoS appliance is located.
State/Province State or province where the FortiDDoS appliance is located.
Country/Region Country where the FortiDDoS appliance is located.
Email Email address that may be used for contact purposes, such as admin@example.com.
Key Information
Key Type

RSA

Key Size

Select a secure key size. Larger keys use more computing resources, but provide better security.

For RSA, select one of the following:

  • 1024 Bit
  • 1536 Bit
  • 2048 Bit
Enrollment Information
Enrollment Method

File Based—You must manually download and submit the resulting certificate request file to a CA for signing. Once signed, upload the local certificate.

Online SCEP—The FortiDDoS appliance automatically uses HTTP to submit the request to the simple certificate enrollment protocol (SCEP) server of a CA, which will validate and sign the certificate. For this selection, two options appear. Enter the CA Server URL and the Challenge Password.

Importing certificates

You can import or upload the following types of server certificates and private keys to the FortiDDoS system:

Before you begin:

To import a local certificate:

  1. Go to System > Certificate > Local Certificate.
  2. Click Import to display the configuration editor.

    3. Figure  143:  Importing a Local Certificate

  3. Complete the configuration based on the Type selected, as described in Table 95.
  4. Save the configuration.

 

 Table 86:   Local certificate import configuration
Settings Guidelines
Type
  • Local Certificate: An unencrypted certificate in PEM format.
  • PKCS12 Certificate: A PKCS #12 password-encrypted certificate with key in the same file.
  • Certificate: An unencrypted certificate in PEM format. The key is in a separate file.

Additional fields are displayed depending on your selection.

Local Certificate
Certificate File Browse and locate the certificate file that you want to upload.
PKCS12 Certificate
Certificate Name

Name that can be referenced by other parts of the configuration, such as www_example_com.

  • Do not use spaces or special characters.
  • Maximum length is 35 characters.
Certificate File Browse and locate the certificate file that you want to upload.
Password Password to encrypt the file in local storage.
Certificate
Certificate Name

Name that can be referenced by other parts of the configuration, such as www_example_com.

  • Do not use spaces or special characters.
  • Maximum length is 35 characters.
Certificate File Browse and locate the certificate file that you want to upload.
Password Password to encrypt the files in local storage.

After the certificate is imported, status shows OK.

Using certificates

  1. Go to System > Admin > Settings.
  2. Select the certificate from the dropdown under Under Web Administration > HTTPS Server Certificate.
  3. Save the configuration.

Viewing certificates

The system has its own default “Factory” certificate that it presents to establish secure connections with the administrator client computer.

To view the local certificate:
  1. Go to System > Certificates.
  2. Click the Local Certificate tab.
  3. Double-click the row corresponding to the Factory Certificate.

 

Figure  144:  Factory Local Certificate