Certificates – FortiAnalyzer – FortiOS 6.2.3

Certificates

The FortiAnalyzer generates a certificate request based on the information you entered to identify the FortiAnalyzer unit. After you generate a certificate request, you can download the request to a management computer and then forward the request to a CA.

Local certificates are issued for a specific server, or website. Generally they are very specific, and often for an internal enterprise network.

CA root certificates are similar to local certificates, however they apply to a broader range of addresses or to an entire company.

The CRL is a list of certificates that have been revoked and are no longer usable. This list includes expired, stolen, or otherwise compromised certificates. If your certificate is on this list, it will not be accepted. CRLs are maintained by the CA that issues the certificates and include the date and time when the next CRL will be issued, as well as a sequence number to help ensure you have the most current versions.

Local certificates

The FortiAnalyzer unit generates a certificate request based on the information you enter to identify the FortiAnalyzer unit. After you generate a certificate request, you can download the request to a computer that has management access to the FortiAnalyzer unit and then forward the request to a CA.

The certificate window also enables you to export certificates for authentication, importing, and viewing.

The FortiAnalyzer has one default local certificate: Fortinet_Local.

You can manage local certificates from the System Settings > Certificates > Local Certificates page. Some options are available in the toolbar and some are also available in the right-click menu.

Creating a local certificate

To create a certificate request:

  1. Go to System Settings > Certificates > Local Certificates.
  2. Click Create New in the toolbar. The Generate Certificate Signing Request pane opens.
  3. Enter the following information as required, then click OK to save the certificate request:
Certificate Name The name of the certificate.

 

Subject Information Select the ID type from the dropdown list: l Host IP: Select if the unit has a static IP address. Enter the public IP address of the unit in the Host IP field.

Domain Name: Select if the unit has a dynamic IP address and subscribes to a dynamic DNS service. Enter the domain name of the unit in the Domain Name field.

Email: Select to use an email address. Enter the email address in the Email Address field.

Optional Information  
Organization Unit (OU) The name of the department. You can enter a series of OUs up to a maximum of 5. To add or remove an OU, use the plus (+) or minus (-) icons.
Organization (O) Legal name of the company or organization.
Locality (L) Name of the city or town where the device is installed.
State/Province (ST) Name of the state or province where the FortiGate unit is installed.
Country (C) Select the country where the unit is installed from the dropdown list.
E-mail Address (EA) Contact email address.
Subject

Alternative Name

Optionally, enter one or more alternative names for which the certificate is also valid. Separate names with a comma.

A name can be: l e-mail address l IP address l URI

l DNS name (alternatives to the Common Name) l directory name (alternatives to the Distinguished Name) You must precede the name with the name type. Examples: l IP:1.1.1.1 l email:test@fortinet.com l email:my@other.address l URI:http://my.url.here/

Key Type The key type can be RSA or Elliptic Curve.
Key Size Select the key size from the dropdown list: 512 Bit, 1024 Bit, 1536 Bit, or 2048 Bit. This option is only available when the key type is RSA.
Curve Name Select the curve name from the dropdown list: secp256r1 (default), secp384r1, or secp521r1. This option is only available when the key type is Elliptic Curve.
Enrollment Method The enrollment method is set to File Based.

Importing local certificates

To import a local certificate:

  1. Go to System Settings > Certificates > Local Certificates.
  2. Click Import in the toolbar or right-click and select Import. The Import dialog box opens.
  3. Enter the following information as required, then click OK to import the local certificate:
Type Select the certificate type from the dropdown list: Local Certificate, PKCS #12 Certificate, or Certificate.
Certificate File Click Browse… and locate the certificate file on the management computer, or drag and drop the file onto the dialog box.
Key File Click Browse… and locate the key file on the management computer, or drag and drop the file onto the dialog box.

This option is only available when Type is Certificate.

Password Enter the certificate password.

This option is only available when Type is PKCS #12 Certificate or

Certificate.

Certificate Name Enter the certificate name.

This option is only available when Type is PKCS #12 Certificate or

Certificate.

Deleting local certificates

To delete a local certificate or certificates:

  1. Go to System Settings > Certificates > Local Certificates.
  2. Select the certificate or certificates you need to delete.
  3. Click Delete in the toolbar, or right-click and select Delete.
  4. Click OK in the confirmation dialog box to delete the selected certificate or certificates.

Viewing details of local certificates

To view details of a local certificate:

  1. Go to System Settings > Certificates > Local Certificates.
  2. Select the certificates that you would like to see details about, then click View Certificate Detail in the toolbar or right-click menu. The View Local Certificate page opens.
  3. Click OK to return to the local certificates list.

Downloading local certificates

To download a local certificate:

  1. Go to System Settings > Certificates > Local Certificates.
  2. Select the certificate that you need to download.
  3. Click Download in the toolbar, or right-click and select Download, and save the certificate to the management computer.

When an object is added to a policy package and assigned to an ADOM, the object is available in all devices that are part of the ADOM. If the object is renamed on a device locally, FortiManager automatically syncs the renamed object to the ADOM.

CA certificates

The FortiAnalyzer has one default CA certificate, Fortinet_CA. In this sub-menu you can delete, import, view, and download certificates.

Importing CA certificates

To import a CA certificate:

  1. Go to System Settings > Certificates > CA Certificates.
  2. Click Import in the toolbar, or right-click and select Import. The Import dialog box opens.
  3. Click .. and locate the certificate file on the management computer, or drag and drop the file onto the dialog box.
  4. Click OK to import the certificate. Viewing CA certificate details

To view a CA certificate’s details:

  1. Go to System Settings > Certificates > CA Certificates.
  2. Select the certificates you need to see details about.
  3. Click View Certificate Detail in the toolbar, or right-click and select View Certificate Detail. The View CA Certificate page opens.
  4. Click OK to return to the CA certificates list.

Downloading CA certificates

To download a CA certificate:

  1. Go to System Settings > Certificates > CA Certificates.
  2. Select the certificate you need to download.
  3. Click Download in the toolbar, or right-click and select Download, and save the certificate to the management computer.

Deleting CA certificates

To delete a CA certificate or certificates:

  1. Go to System Settings > Certificates > CA Certificates.
  2. Select the certificate or certificates you need to delete.
  3. Click Delete in the toolbar, or right-click and select Delete.
  4. Click OK in the confirmation dialog box to delete the selected certificate or certificates.

Certificate revocation lists

When you apply for a signed personal or group certificate to install on remote clients, you can obtain the corresponding root certificate and Certificate Revocation List (CRL) from the issuing CA.

The CRL is a list of certificates that have been revoked and are no longer usable. This list includes expired, stolen, or otherwise compromised certificates. If your certificate is on this list, it will not be accepted. CRLs are maintained by the CA that issues the certificates and includes the date and time when the next CRL will be issued as well as a sequence number to help ensure you have the most current version of the CRL.

When you receive the signed personal or group certificate, install the signed certificate on the remote client(s) according

to the browser documentation. Install the corresponding root certificate (and CRL) from the issuing CA on the FortiAnalyzer unit according to the procedures given below.

Importing a CRL

To import a CRL:

  1. Go to System Settings > Certificates > CRL.
  2. Click Import in the toolbar, or right-click and select Import. The Import dialog box opens.
  3. Click .. and locate the CRL file on the management computer, or drag and drop the file onto the dialog box.
  4. Click OK to import the CRL.

Viewing a CRL

To view a CRL:

  1. Go to System Settings > Certificates > CRL.
  2. Select the CRL you need to see details about.
  3. Click View Certificate Detail in the toolbar, or right-click and select View Certificate Detail. The Result page opens.
  4. Click OK to return to the CRL list.

Deleting a CRL

To delete a CRL or CRLs:

  1. Go to System Settings > Certificates > CRL.
  2. Select the CRL or CRLs you need to delete.
  3. Click Delete in the toolbar, or right-click and select Delete.
  4. Click OK in the confirmation dialog box to delete the selected CRL or CRLs.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiAnalyzer, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.