Certificate Templates
The certificate templates menu allows you to create CA certificate templates, add devices to them, and then generate certificates for selected devices. Once the CA certificates have been generated and signed, they can be installed using the install wizard.
To create a new certificate template:
1. In the Provisioning Templates tree menu, right-click on Certificate Templates and select Create New from the pop-up menu.
The New Certificate dialog box opens.
2. Enter the following information:
Certificate Name | Enter a name for the certificate. |
Optional Information | Optionally, enter the organization unit, organization, locality (city), province or state, country or region, and email address. |
Key Type | RSA is the default key type. This field cannot be edited. |
Key Size | Select the key size from the drop-down list. |
Online SCEP Enrollment | |
| CA Server URL | Enter the CA server URL. |
| Challenge Password | Enter the challenge password for the CA server. |
3. Select OK to create the certificate.
To edit a certificate:
1. Right-click on the certificate name in the tree menu and select Edit from the pop-up menu.
2. Edit the settings as required in the Edit Certificate window, then select OK to apply the changes.
To delete a certificate:
1. Right-click on the certificate name in the tree menu and select Delete from the pop-up menu.
2. Select OK in the confirmation dialog box to delete the certificate.
To add device to a certificate template:
1. Select the certificate template from the tree menu to which you are adding devices.
2. In the content pane, select Add Device from the toolbar.
The Add Device dialog box opens.
3. Add devices from the drop-down list, then select OK to add the devices.
To generate certificates:
1. Do one of the following:
• Select one or more devices from the list of devices added to the certificate template, and then select Generate from the toolbar.
• Right-click on a device from the list and select Generate from the pop-up menu.
2. Confirm the certificate generation in the confirmation dialog box to generate the certificate.
If a certificate failed generation, you can attempt to generate the certificate again.
If the certificate name already exists on the FortiGate unit, it will be overwritten each time the generate button is run. This allows the certificates to be updated more easily (for instances, if it has expired or is about to expire) without affecting any existing VPN configurations that are using the certificate.
