FortiAuthenticator as a Certificate Authority

For this recipe, you will configure the FortiAuthenticator as a Certificate Authority (CA). This will allow the FortiAuthenticator to sign certificates that the FortiGate will use to secure administrator GUI access.

This scenario includes creating a certificate request on the FortiGate, downloading the certificate to the network’s computers, and then importing it to the FortiAuthenticator. You will sign the certificate with the FortiAuthenticator’s own certificate, then download and import the signed certificate back to the FortiGate.

The process of downloading the certificate to the network’s computers will depend on which web browser you use. Internet Explorer and Chrome use one certificate store, while Firefox uses another. This configuration includes both methods.

Watch the video

1. Creating a new CA on the FortiAuthenticator
On the FortiAuthenticator, go to Certificate Management > Certificate Authorities > Local CAs and create a new CA. Enter a Certificate ID, select Root CA certificate, and configure the key options as shown in the example.
Once created, highlight the certificate and select Export. This will save a .crt file to your local drive.
2. Installing the CA on the network
The certificate must now be installed on the computers in your network as a trusted root CA. The steps below show different methods of installing the certificate, depending on your browser.
Internet Explorer and Chrome In Windows Explorer, right-click on the certificate and select Install Certificate. Open the certificate and follow the Certificate Import Wizard.
Make sure to place the certificate in the Trusted Root Certification Authorities store.
Finish the Wizard, and select Yes to confirm and install the certificate.
Firefox In the web browser, go to Options > Advanced > Certificates and select View Certificates.
In the Authorities tab, select Import.
Find and open the root certificate. You will be asked what purposes the certificate will be trusted to identify. Select all options, and select OK.
3. Creating a CSR on the FortiGate
On the FortiGate, go to System > Certificates and select Generate to create a new certificate signing request (CSR). Enter a Certificate Name, the Internet facing IP address of the FortiGate, and a valid email address, then configure the key options as shown in the example.
Once created, the certificate will show a Status of Pending. Highlight the certificate and select Download. This will save a .csr file to your local drive.
4. Importing and signing the CSR on the FortiAuthenticator
Back on the FortiAuthenticator, go to Certificate Management > End Entities > Users and import the .csr certificate created earlier. Make sure to select the Certificate authority from the dropdown menu and set the Hash algorithm to SHA-256, as configured earlier.
Once imported, you should see that the certificate has been signed by the FortiAuthenticator, with a Status of Active. Highlight the certificate and select Export Certificate. This will save a .cer file to your local drive.
5. Importing the local certificate to the FortiGate
Back on the FortiGate, go to System > Certificates and select Local Certificate from the Import dropdown menu. Browse to the .cer certificate you just created. Select Open and then select OK.
You should now see that the certificate’s Status has changed from Pending to OK. You may have to refresh your page to see the status change.
6. Configuring the certificate for the GUI
Go to System > Admin > Settings. Under Administration Settings, set HTTPS Server Certificate to the certificate created/signed earlier, then select Apply.
7. Results
Close and reopen your browser, and go to the FortiGate admin login page. If you click on the lock icon next to the address bar, you should see that the certificate has been signed and verified by the FortiAuthenticator. As a result, no certificate errors will appear.