Certificate-based authentication

Leave a reply

Obtaining and installing a signed server certificate from an external CA

To obtain a signed server certificate for a FortiGate unit, you must send a request to a CA that provides digital certificates that adhere to the X.509 standard. The FortiGate unit provides a way for you to generate the request.

To submit the certificate signing request (file-based enrollment):

  1. Using the web browser on the management computer, browse to the CA web site.
  2. Follow the CA instructions for a base-64 encoded PKCS#10 certificate request and upload your certificate request.
  3. Follow the CA instructions to download their root certificate and CRL.

When you receive the signed server certificate from the CA, install the certificate on the FortiGate unit.

To install or import the signed server certificate – web-based manager

  1. On the FortiGate unit, go to System > Certificates and select Import > Local Certificates.
  2. From Type, select Local Certificate.
  3. Select Browse, browse to the location on the management computer where the certificate was saved, select the certificate, and then select Open.
  4. Select OK, and then select Return.

Installing a CA root certificate and CRL to authenticate remote clients

When you apply for a signed personal or group certificate to install on remote clients, you can obtain the corresponding root certificate and CRL from the issuing CA. When you receive the signed personal or group certificate, install the signed certificate on the remote client(s) according to the browser documentation. Install the corresponding root certificate (and CRL) from the issuing CA on the FortiGate unit according to the procedures given below.

To install a CA root certificate

  1. After you download the root certificate of the CA, save the certificate on the management computer. Or, you can use online SCEP to retrieve the certificate.
  2. On the FortiGate unit, go to System > Certificates and select Import > CA Certificates.
  3. Do one of the following:
    • To import using SCEP, select SCEP. Enter the URL of the SCEP server from which to retrieve the CA certificate. Optionally, enter identifying information of the CA, such as the filename.
    • To import from a file, select Local PC, then select Browse and find the location on the management computer where the certificate has been saved. Select the certificate, and then select Open.
  1. Select OK, and then select Return.

The system assigns a unique name to each CA certificate. The names are numbered consecutively (CA_Cert_1, CA_Cert_2, CA_Cert_3, and so on).

To import a certificate revocation list

A Certificate Revocation List (CRL) is a list of the CA certificate subscribers paired with certificate status information. The list contains the revoked certificates and the reason(s) for revocation. It also records the certificate issue dates and the CAs that issued them.

Troubleshooting

When configured to support SSL VPNs, the FortiGate unit uses the CRL to ensure that the certificates belonging to the CA and remote peers or clients are valid. The CRL has an “effective date” and a “next update” date. The interval is typically 7 days (for Microsoft CA). FortiOS will update the CRL automatically. Also, there is a CLI command to specify an “update-interval” in seconds. Recommendation should be 24 hours (86400 seconds) but depends on company security policy.

  1. After you download the CRL from the CA web site, save the CRL on the management computer.
  2. Go to System > Certificates and select Import > CRL.
  3. Do one of the following:
    • To import using an HTTP server, select HTTP and enter the URL of the HTTP server. l To import using an LDAP server see this KB article.
    • To import using an SCEP server, select SCEP and select the Local Certificate from the list. Enter the URL of the SCEP server from which the CRL can be retrieved.
    • To import from a file, select Local PC, then select Browse and find the location on the management computer where the CRL has been saved. Select the CRL and then select Open.
  1. Select OK, and then select Return.

To import a PKCS12 certificate from the CLI

The following CLI syntax can be entered to import a local certificate file:

execute vpn certificate local import tftp <file name> <tftp ip address> <file type> <Enter for ‘cer’>|<password for ‘p12’>

For example:

execute vpn certificate local import tftp FGTF-extern.p12 10.1.100.253 p12 123456

ExtendedKeyUsage for x.509 certificates

As per Network Device Collaborative Protection Profile (NDcPP) v1.0 requirements, server certificates used for TLS connections between FortiGate and FortiAnalyzer have the “Server Authentication” and “Client Authentication” extendedKeyUsage fields in FIPS/CC mode.

The following CLI command is available under log fortianalyzer setting to allow you to specify the certificate used to communicate with FortiAnalyzer.

CLI syntax

config log fortianalyzer setting set certificate <name>

end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Pages: 1 2 3 4 5 6 7 8 9 10 11
This entry was posted in FortiGate, FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.