Generating and importing the CA certificate and private key

Chapter 4 Authentication : Certificate-based authentication : Example — Generate and Import CA certificate with private key pair on OpenSSL : Generating and importing the CA certificate and private key

The two following procedures will generate a CA certificate file and private key file, and then import it to the FortiGate unit as a local certificate.

To generate the private key and certificate

1. At the Windows command prompt, go to the OpenSSL bin directory. If you installed to the default location this will be the following command:

cd c:\OpenSSL-Win32\bin

2. Enter the following command to generate the private key. You will be prompted to enter your PEM pass phrase. Choose something easy to remember such as fortinet123.

openssl genrsa -des3 -out fgtcapriv.key 2048

This command generates an RSA DES3 2038-bit encryption key.

3. The following command will generate the certificate using the key from the previous step.

openssl req -new -x509 -days 3650 -extensions v3_ca -key fgtcapriv.key -out fgtca.crt

This step generates an X509 CA certificate good for 10 years that uses the key generated in the previous step. The certificate filename is fgtca.crt.

You will be prompted to enter information such as PEM Pass Phrase from the previous step, Country Name, State, Organization Name, Organizational Unit (such as department name), Common Name (the FQDN), and Email Address.

To import the certificate to the FortiGate unit - web-based manager

1. Go to System > Certificates > Local Certificates.

2. Select Import.

3. Select Certificate for Type.

Fields for Certificate file, Key file, and Password are displayed.

4. For Certificate file, enter c:\OpenSSL-Win32\bin\fgtca.crt.

5. For Key file, enter c:\OpenSSL-Win32\bin\fgtcapriv.key.

6. For Password, enter the PEM Pass Phrase you entered earlier, such as fortinet123.

7. Select OK.

The Certificate will be added to the list of Local Certificates and be ready for use. It will appear in the list as the filename you uploaded — fgtca.You can add comments to this certificate to make it clear where its from and how it is intended to be used. If you download the certificate from FortiOS, it is a .CER file.

It can now be used in “Authenticating IPsec VPN users with security certificates”, and “Authenticating SSL VPN users with security certificates”.

Optionally, you can install the certificate as a CA Certificate. CA certificates are used in HTTPS proxy/inspection. To do this, under CA Certificates select Import. Select Local PC and enter the certificate file c:\OpenSSL-Win32\bin\fgtca.crt. Then select OK. This certificate will be displayed in the CA Certificate list under the name CA_Cert_1.