Managing local certificates
This section includes the following information:
Overview
While requesting secure administrator access to a FortiDDoS device via HTTPS, the device uses SSL protocol to ensure that all communication between the device and the HTTP browser is secure no matter which client application is used. Regarding basic authentication made by an HTTP client, the device will use its self-signed security certificate to allow authentication whenever HTTPS is initiated by the client.
Note: The self-signed certificate proposal is the default setting on the device.
The HTTP browser notices the following discrepancies:
- The 'issuer' of the certificate offered by the device is unknown.
- The 'subject' of the certificate doesn't match the FQDN of the HTTP request a.b.c.d.
To avoid the triggering of these messages in the scenario where you don't require your HTTP browser to 'Permanently store this exception':
- Always ensure that the certificate of the CA signed by the device certificate is stored in the browser repository.
- Always ensure that the device is accessed with a correct FQDN.
Once the security exception is confirmed, the login page will be displayed. All the data sent to the device is encrypted and a HTTPS connection is created without reading the self-signed certificate proposal. Once the HTTP browser has permanently stored this exception, the exception prompt is not shown again. If the HTTP client declines the certificate, then the device does not allow the connection.
If you want to avoid these warnings and have a custom certificate, you must assign a host name to the appliance, generate a key pair and certificate request and import the certificate from a signing authority.
Generating a Certificate Signing Request (CSR)
FortiDDoS allows you to generate CSRs that you can send to a CA to sign and give you a signed certificate. FortiDDoS creates a key pair that it keeps in a protected storage and is later used for SSL.
Before you begin:
• You must have Read-Write permission for System settings.
To generate a certificate request:
- Go to System > Certificate > Local Certificates.
- Click Generate to display the configuration editor.
- Complete the configuration as described in the Table 94.
- Save the configuration.
The system creates a private and public key pair. The generated request includes the public key of the FortiDDoS appliance and information such as the IP address, domain name, or email address. The FortiDDoS appliance private key remains confidential in the FortiDDoS appliance. The Status column of the new CSR entry is Pending.
- Select the row that corresponds to the certificate request.
- Click Download.
Standard dialogs appear with buttons to save the file to the location you select. Your web browser downloads the certificate request (.csr) file.
- Upload the certificate request to your CA.
After you submit the request to a CA, the CA will verify the information in the certificate, give it a serial number, an expiration date, and sign it with the public key of the CA.
- If you are not using a commercial CA whose root certificate is already installed by default on web browsers, download your CA’s root certificate, then install it on all computers that will be connecting to your appliance. (If you do not install these, those computers might not trust your new certificate.)
- When you receive the signed certificate from the CA, you can import the certificate into the FortiDDoS system.
Table 85: CSR configuration
Generate Certificate |
Signing Request |
Certification Name |
Configuration name. Valid characters are A-Z,a-z,0-9,_, and -. No spaces. The maximum length is 35 characters.
Note: This is the name of the CSR file, not the host name/IP contained in the certificate’s Subject: line.
|
Subject Information |
ID Type |
Select the type of identifier to use in the certificate to identify the virtual server:
Depending on your choice for ID Type, related options appear.
|
IP Address |
Type the static IP address of the FortiDDoS appliance, such as 10.0.0.1.The IP address should be the one that is visible to clients. Usually, this should be its public IP address on the Internet, or a virtual IP that you use NAT to map to the appliance’s IP address on your private network.
This option appears only if ID Type is Host IP.
|
Domain Name |
Type the FQDN of the FortiDDoS appliance, such as www.example.com. The domain name must resolve to the IP address of the FortiDDoS appliance or backend server according to the DNS server used by clients. (If it does not, the clients’ browsers will display a Host name mismatch or similar error message.)
This option appears only if ID Type is Domain Name.
|
E-mail |
Type the email address of the owner of the FortiDDoS appliance, such as admin@example.com.
This option appears only if ID Type is E-Mail.
|
Distinguished Information |
Organization Unit |
Name of organizational unit (OU), such as the name of your department. This is optional. To enter more than one OU name, click the + icon, and enter each OU separately in each field |
Organization |
Legal name of your organization. |
Locality (City) |
City or town where the FortiDDoS appliance is located. |
State/Province |
State or province where the FortiDDoS appliance is located. |
Country/Region |
Country where the FortiDDoS appliance is located. |
Email |
Email address that may be used for contact purposes, such as admin@example.com. |
Key Information |
Key Type |
RSA
|
Key Size |
Select a secure key size. Larger keys use more computing resources, but provide better security.
For RSA, select one of the following:
- 1024 Bit
- 1536 Bit
- 2048 Bit
|
Enrollment Information |
Enrollment Method |
File Based—You must manually download and submit the resulting certificate request file to a CA for signing. Once signed, upload the local certificate.
Online SCEP—The FortiDDoS appliance automatically uses HTTP to submit the request to the simple certificate enrollment protocol (SCEP) server of a CA, which will validate and sign the certificate. For this selection, two options appear. Enter the CA Server URL and the Challenge Password.
|
Importing certificates
You can import or upload the following types of server certificates and private keys to the FortiDDoS system:
Before you begin:
- You must have Read-Write permission for System settings.
- You must have downloaded the certificate and key files to browse and upload.
To import a local certificate:
- Go to System > Certificate > Local Certificate.
- Click Import to display the configuration editor.
Figure 143: Importing a Local Certificate
- Complete the configuration based on the Type selected, as described in Table 95.
- Save the configuration.
Table 86: Local certificate import configuration
Type |
- Local Certificate: An unencrypted certificate in PEM format.
- PKCS12 Certificate: A PKCS #12 password-encrypted certificate with key in the same file.
- Certificate: An unencrypted certificate in PEM format. The key is in a separate file.
Additional fields are displayed depending on your selection.
|
Local Certificate |
Certificate File |
Browse and locate the certificate file that you want to upload. |
PKCS12 Certificate |
Certificate Name |
Name that can be referenced by other parts of the configuration, such as www_example_com.
- Do not use spaces or special characters.
- Maximum length is 35 characters.
|
Certificate File |
Browse and locate the certificate file that you want to upload. |
Password |
Password to encrypt the file in local storage. |
Certificate
|
Certificate Name |
Name that can be referenced by other parts of the configuration, such as www_example_com.
- Do not use spaces or special characters.
- Maximum length is 35 characters.
|
Certificate File |
Browse and locate the certificate file that you want to upload. |
Password |
Password to encrypt the files in local storage. |
After the certificate is imported, status shows OK.
Using certificates
- Go to System > Admin > Settings.
- Select the certificate from the dropdown under Under Web Administration > HTTPS Server Certificate.
- Save the configuration.
Viewing certificates
The system has its own default “Factory” certificate that it presents to establish secure connections with the administrator client computer.
To view the local certificate:
- Go to System > Certificates.
- Click the Local Certificate tab.
- Double-click the row corresponding to the Factory Certificate.
Figure 144: Factory Local Certificate