How to generate Certificate Signing Request (CSR) and install a Certificate in the FortiGate Web Portal?

Overview

 

By the end of the article, you will learn how to generate and install a CSR in FortiGate interfaces.

What is a Certificate Sign Request (CSR)?

 

A Certificate Signing Request (CSR) is a digitally signed file that contains your device’s public key and identifying details such as domain name and organization information. The CSR is submitted to a Certificate Authority (CA), to obtain a trusted SSL/TLS certificate. 

For FortiGate portals, this signed certificate enables a secure HTTP(S) communication on your FortiGate interfaces, such as the admin GUI or VPN portal.

 

Steps to Generate a CSR in the FortiGate Web Portal

 

To generate a Certificate Signing Request (CSR) within the FortiGate Web Portal, follow these step-by-step instructions. This process is essential for enabling SSL/TLS encryption on FortiGate interfaces such as the admin GUI and SSL VPN portal, ensuring secure communication and certificate-based authentication.

Step 1: Access your FortiGate Console to generate a CSR

 

1. Log in to your FortiGate Management Console using your admin credentials.
2. Navigate to: System > Certificates.
3. Select Create/Import and choose Generate CSR to begin the certificate request process.

 

Step 2: Provide the necessary information for CSR creation

 

• Certificate Name: Assign a descriptive, user-friendly Certificate Name.
• ID type: Your Domain Name
• Domain Name: The Fully Qualified Domain Name (FQDN) you want to secure.
• For Example, vpn.yourdomain.com.
• Subject Information:  The details of your organization such as name of your organization, department, city, state/province, country and email id.
• Subject Alternative Name (SAN): This is optional and needs to be filled if you are adding additional domains or IPs.
• Key Type: Select RSA.
• Key Size: Choose 2048 bits.
• Enrollment Method: Select File Based.

Step 3: Click OK to create the CSR.

Step 4: The new certificate will show a Status of Pending in Local certificate section of the portal.

Step 5: Highlight the pending certificate and select Download to save the CSR file (.csr) to your local computer.

 

The CSR file can be opened in any text editor, and will resemble the following:

-----BEGIN CERTIFICATE REQUEST-----
MIICuTCCAaECAQAwSzEcMBoGA1UEAxMTZm9ydGlzc2x2cG5kZW1vLmNvbTErMCkG
CSqGSIb3DQEJARYcZm9ydGlzc2x2cG5kZW1vQGZvcnRpbmV0LmNvbTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMtnpNoR20NH2+UEX/NsyCmZhQqc4af3
Be1u9iOoNbo9Fk42gw47r71moAN+1jTL/Tcp3hRhXtpgoI7Zh3vjZnBbD2wwU8Ow
U7d1h5MULyMehR9r4T6OAJl4KbKPt5u90r5SpIb6mM1OIKvzMncuRS66rW1St0KP
mp/f6QjpjMrthnyJkCejgyTA1YwWNuT9BcO6PTkxBqVMLaRP6TUH6He9uhOx1Cj/
5tzvSdAozZIr2moMieQy0lNd6oQcgpdzaB9QN41+cZOlUXRCMPoH7E4KUe3/Gnis
+NMdQ8rIBijvWCXrKj20wb6sUEjAGJkcXlqVHWYCKWXl6Owejmc4ipkCAwEAAaAp
MCcGCSqGSIb3DQEJDjEaMBgwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwDQYJKoZI
hvcNAQELBQADggEBAJKhtz2BPIKeHH9HcJKnfBKL+a6vu1l+1sW+YqnyD+3oR9ec
0eCmLnPxyyxsVel/tRsUg4DTfmooLNDhOjgfMsWxAGUQgrDH2k87cw6kiDAPCqv1
b+hFPNKZQSd09+HXAvOpXrMlrw5YdSaoRnau6Q02yUIYennKTIzFIscgh1mk4FSe
mb12DhPF+QydDCGDgtqnQbfxlDC0WmDcmxwa/0ZktoQhhhEbYgJ2O7l4TMqOxs/q
AZgwJlSNGBALLA2AxkIRUMKUteDdXz0QE8xNrvZpLTbWCNIpYJdRRqSd5C1w2VF4
CFgugTjFaJ13kYmBimeMRQsFtjLV5AxN+bUUsnQ=
-----END CERTIFICATE REQUEST-----

 

Steps to Submit the generated CSR and Receive the certificate from Sectigo.

Once you've generated the Certificate Signing Request (CSR) from your FortiGate Web Portal, follow these steps to submit it to Sectigo and obtain your signed certificate:

1. Open the generated .csr file in a text editor like Notepad.
2. Submit the CSR to Sectigo by logging into our portal.
3. Once validation is completed, Sectigo will provide you with
   a) The primary certificate is typically sent Individual CRT Files in a .crt file format. It can also be downloaded in PEM File and CA Bundle, Individual PEM Files, CER (PKCS7/P7B) Formats..
   b) We recommend installing both the Intermediate and Root Certificates to ensure complete certificate validation and to establish a secure trust chain between your systems and the certificate authority. This is essential for maintaining secure communications and preventing trust-related errors. 

Steps to install the signed certificate in FortiGate Web Portal

After receiving your signed certificate, follow the below steps to install it in your FortiGate Management Console

• Log in to your FortiGate Management Console.
• Go to: System > Certificates.
• From the Import dropdown, select Certificate

• Navigate to System -> Certificates -> Create/Import -> Certificate -> Import Certificate, select type as Local Certificate, upload the PEM Certificate, and select 'Create'. The certificate will be generated.

 

 

 

• If you have generated the CSR using OpenSSL or any other third-party tool and have the private key separately then follow this: Navigate to System -> Certificates -> Create/Import -> Certificate -> Import Certificate

 

• If you have PFX then Navigate to System -> Certificates -> Create/Import -> Certificate -> Import Certificate, select the type as PKCS12, upload the certificate, use the Password/Paraphrase provided by the CA vendor, and select 'Create'. 

 

 

• The status will update from PENDING to OK.

 

 

 

• Next, import the Intermediate/Root CA certificate:
• Select Import > CA Certificate.
• Browse and upload the intermediate certificate file, then click OK

Steps for Assigning the Certificate to a Service

Depending on your use case (Admin Web UI, SSL VPN, etc.), bind the installed certificate by following the below steps.:

1. For SSL VPN:
   • Navigate to VPN > SSL > Settings.
   • In the Server Certificate dropdown, select your newly installed certificate and click Apply.

 

 

     2. For Admin Web Interface:

• • Navigate to System > Settings.
  • Under HTTPS Server Certificate, select your installed certificate and click Apply.

Tips

• Always keep the private key securely on the FortiGate device.
• Use the built-in generator so that the private key never leaves your firewall.
• Make sure to use PEM-encoded certificates.

Some troubleshooting methods:

1. If the certificate status continues to show PENDING, ensure you are importing the certificate that matches the CSR you generated.

2. If there are browser issues, confirm that both the device and any Intermediate/rRoot CA certificates are correctly imported

Follow the above steps correctly to generate a CSR, obtain a trusted certificate from Sectigo and install it in your FortiGate appliance.

 

Related Articles:

Tags: