Secure connections and certificates : Replacing the default certificate for the web UI : Generating a certificate signing request
 
Generating a certificate signing request
Many commercial certificate authorities (CAs) will provide a web site where you can generate your own certificate signing request (CSR). A CSR is an unsigned certificate file that the CA will sign. When the CSR is generated, the associated private key that the appliance will use to sign and/or encrypt connections with clients is also generated.
If your CA does not provide this, or if you have your own private CA such as a Linux server with OpenSSL, you can use the appliance generate a CSR and private key. This CSR can then be submitted for verification and signing by the CA.
To generate a certificate request
1. Go to System > Certificate > Local Certificate.
2. Click Generate.
A dialog appears.
3. Configure the certificate signing request:
Setting name
Description
Certification name
Enter a unique name for the certificate request, such as fortirecorder.example.com. This can be the name of your appliance.
Subject Information
 
 
ID Type
Select the type of identifier to use in the certificate to identify the FortiRecorder appliance:
Host IP — Select if the FortiRecorder appliance has a static IP address and enter the public IP address of the FortiRecorder appliance in the IP field. If the FortiRecorder appliance does not have a public IP address, use E-Mail or Domain Name instead.
Domain NameSelect if the FortiRecorder appliance has a static IP address and subscribes to a dynamic DNS service. Enter the FQDN of the FortiRecorder appliance, such as fortirecorder.example.com, in the Domain Name field. Do not include the protocol specification (http://) or any port number or path names.
E-Mail — Select and enter the email address of the owner of the FortiRecorder appliance in the E-mail field. Use this if the appliance does not require either a static IP address or a domain name.
The type you should select varies by whether or not your FortiRecorder appliance has a static IP address, a fully-qualified domain name (FQDN), and by the primary intended use of the certificate.
For example, if your FortiRecorder appliance has both a static IP address and a domain name, but you will primarily use the local certificate for HTTPS connections to the web UI by the domain name of the FortiRecorder appliance, you might prefer to generate a certificate based upon the domain name of the FortiRecorder appliance, rather than its IP address.
 
IP
Type the static IP address of the FortiRecorder appliance, such as 10.0.0.1.
The IP address should be the one that is visible to clients. Usually, this should be its public IP address on the Internet, or a virtual IP that you use NAT to map to the appliance’s IP address on your private network.
This option appears only if ID Type is Host IP.
 
Domain Name
Type the fully qualified domain name (FQDN) of the FortiRecorder appliance, such as www.example.com.
The domain name must resolve to the static IP address of the FortiRecorder appliance or protected server. For more information, see “NVR configuration”.
This option appears only if ID Type is Domain Name.
 
E-mail
Type the email address of the owner of the FortiRecorder appliance, such as admin@example.com.
This option appears only if ID Type is E-Mail.
Key type
Displays the type of algorithm used to generate the key.
This option cannot be changed, but appears in order to indicate that only RSA is currently supported.
Key size
Select a secure key size of 512 Bit, 1024 Bit, 1536 Bit or 2048 Bit. Larger keys are slower to generate, but provide better security.
4. If you want to, or if your CA requires you to provide identifying information, configure these settings:
Setting name
Description
Optional Information
 
 
Organization unit
Optional. Type the name of your organizational unit (OU), such as the name of your department.
To enter more than one OU name, click the + icon, and enter each OU separately in each field.
 
Organization
Optional. Type the legal name of your organization.
 
Locality(City)
Optional. Type the name of the city or town where the FortiRecorder appliance is located.
 
State/Province
Optional. Type the name of the state or province where the FortiRecorder appliance is located.
 
Country/Region
Optional. Select the name of the country where the FortiRecorder appliance is located.
 
E-mail
Optional. Type an email address that may be used for contact purposes, such as admin@example.com.
5. Click OK.
The FortiRecorder appliance creates a private and public key pair. The generated request includes the public key of the FortiRecorder appliance and information such as the FortiRecorder appliance’s IP address, domain name, or email address. The FortiRecorder appliance’s private key remains confidential on the FortiRecorder appliance. The Status column of the entry is Pending.
6. Click to select the row that corresponds to the certificate request.
7. Click Download.
Standard dialogs appear with buttons to save the file at a location you select. Your web browser downloads the certificate request (.csr) file. Time required varies by the size of the file and the speed of your network connection.
8. Upload the certificate request to your CA.
After you submit the request to a CA, the CA will verify the information in the certificate, give it a serial number, an expiration date, and sign it with the public key of the CA.
9. If you are not using a commercial CA whose root certificate is already installed by default on web browsers, download your CA’s root certificate, then install it on all computers that will be connecting to your appliance. (If you do not install these, those computers may not trust your new certificate.)
10. When you receive the signed certificate from the CA, upload the certificate to the FortiRecorder appliance (see “Uploading & selecting to use a certificate”).