Generating a CA signed SSL certificate

Chapter 3 Authentication for FortiOS 5.0 : Certificate-based authentication : Example — Generate an SSL certificate in OpenSSL : Generating a CA signed SSL certificate

This procedure assumes:

• you have already completed “Example — Generate and Import CA certificate with private key pair on OpenSSL” successfully.

To generate the CA signed SSL certificate

1. At the Windows command prompt, go to the OpenSSL bin directory. If you installed to the default location this will be the following command:

cd c:\OpenSSL-Win32\bin

2. Enter the following command to generate the private key. You will be prompted to enter your PEM pass phrase. Choose something easy to remember such as fortinet.

openssl genrsa -des3 -out fgtssl.key 2048

This command generates an RSA DES3 2038-bit encryption key.

3. Create a certificate signing request for the SSL certificate. This step requires you to enter the information listed in step 3 of the previous example — “To generate the private key and certificate”. You can leave the Challenge Password blank.

openssl req -new -key fgtssl.key -out fgtssl.csr

4. Using the CSR from the previous step, you can now create the SSL certificate using the CA certificate that was created in “Example — Generate and Import CA certificate with private key pair on OpenSSL”.

openssl x509 -req -days 365 -in fgtssl.csr -CA fgtca.crt -CAkey fgtcapriv.key -set_serial 01 -out fgtssl.crt

This will generate an X.509 certificate good for 365 days signed by the CA certificate fgtca.crt.