Certificates
The FortiAnalyzer generates a certificate request based on the information you entered to identify the FortiAnalyzer unit. After you generate a certificate request, you can download the request to a management computer and then forward the request to a CA.
Local certificates are issued for a specific server, or website. Generally they are very specific, and often for an internal enterprise network.
CA root certificates are similar to local certificates, however they apply to a broader range of addresses or to an entire company.
The CRL is a list of certificates that have been revoked and are no longer usable. This list includes expired, stolen, or otherwise compromised certificates. If your certificate is on this list, it will not be accepted. CRLs are maintained by the CA that issues the certificates and include the date and time when the next CRL will be issued, as well as a sequence number to help ensure you have the most current versions.
Local certificates
The FortiAnalyzer unit generates a certificate request based on the information you enter to identify the FortiAnalyzer unit. After you generate a certificate request, you can download the request to a computer that has management access to the FortiAnalyzer unit and then forward the request to a CA.
The certificate window also enables you to export certificates for authentication, importing, and viewing.
The FortiAnalyzer has one default local certificate: Fortinet_Local.
You can manage local certificates from the System Settings > Certificates > Local Certificates page. Some options are available in the toolbar and some are also available in the right-click menu.
Creating a local certificate
To create a certificate request:
- Go to System Settings > Certificates > Local Certificates.
- Click Create New in the toolbar. The Generate Certificate Signing Request pane opens.
- Enter the following information as required, then click OK to save the certificate request:
| Certificate Name | The name of the certificate. |
| Subject Information | Select the ID type from the dropdown list: l Host IP: Select if the unit has a static IP address. Enter the public IP address of the unit in the Host IP field.
l Domain Name: Select if the unit has a dynamic IP address and subscribes to a dynamic DNS service. Enter the domain name of the unit in the Domain Name field. l Email: Select to use an email address. Enter the email address in the Email Address field. |
| Optional Information | |
| Organization Unit (OU) | The name of the department. You can enter a series of OUs up to a maximum of 5. To add or remove an OU, use the plus (+) or minus (-) icons. |
| Organization (O) | Legal name of the company or organization. |
| Locality (L) | Name of the city or town where the device is installed. |
| State/Province (ST) | Name of the state or province where the FortiGate unit is installed. |
| Country (C) | Select the country where the unit is installed from the dropdown list. |
| E-mail Address (EA) | Contact email address. |
| Subject
Alternative Name |
Optionally, enter one or more alternative names for which the certificate is also valid. Separate names with a comma.
A name can be: l e-mail address l IP address l URI l DNS name (alternatives to the Common Name) l directory name (alternatives to the Distinguished Name) You must precede the name with the name type. Examples: l IP:1.1.1.1 l email:test@fortinet.com l email:my@other.address l URI:http://my.url.here/ |
| Key Type | The key type can be RSA or Elliptic Curve. |
| Key Size | Select the key size from the dropdown list: 512 Bit, 1024 Bit, 1536 Bit, or 2048 Bit. This option is only available when the key type is RSA. |
| Curve Name | Select the curve name from the dropdown list: secp256r1 (default), secp384r1, or secp521r1. This option is only available when the key type is Elliptic Curve. |
| Enrollment Method | The enrollment method is set to File Based. |
Importing local certificates
To import a local certificate:
- Go to System Settings > Certificates > Local Certificates.
- Click Import in the toolbar or right-click and select Import. The Import dialog box opens.
- Enter the following information as required, then click OK to import the local certificate:
| Type | Select the certificate type from the dropdown list: Local Certificate, PKCS #12 Certificate, or Certificate. |
| Certificate File | Click Browse… and locate the certificate file on the management computer, or drag and drop the file onto the dialog box. |
| Key File | Click Browse… and locate the key file on the management computer, or drag and drop the file onto the dialog box.
This option is only available when Type is Certificate. |
| Password | Enter the certificate password.
This option is only available when Type is PKCS #12 Certificate or Certificate. |
| Certificate Name | Enter the certificate name.
This option is only available when Type is PKCS #12 Certificate or Certificate. |
Deleting local certificates
To delete a local certificate or certificates:
- Go to System Settings > Certificates > Local Certificates.
- Select the certificate or certificates you need to delete.
- Click Delete in the toolbar, or right-click and select Delete.
- Click OK in the confirmation dialog box to delete the selected certificate or certificates.
Viewing details of local certificates
To view details of a local certificate:
- Go to System Settings > Certificates > Local Certificates.
- Select the certificates that you would like to see details about, then click View Certificate Detail in the toolbar or right-click menu. The View Local Certificate page opens.
- Click OK to return to the local certificates list.
Downloading local certificates
To download a local certificate:
- Go to System Settings > Certificates > Local Certificates.
- Select the certificate that you need to download.
- Click Download in the toolbar, or right-click and select Download, and save the certificate to the management computer.
When an object is added to a policy package and assigned to an ADOM, the object is available in all devices that are part of the ADOM. If the object is renamed on a device locally, FortiManager automatically syncs the renamed object to the ADOM.
CA certificates
The FortiAnalyzer has one default CA certificate, Fortinet_CA. In this sub-menu you can delete, import, view, and download certificates.
Importing CA certificates
To import a CA certificate:
- Go to System Settings > Certificates > CA Certificates.
- Click Import in the toolbar, or right-click and select Import. The Import dialog box opens.
- Click .. and locate the certificate file on the management computer, or drag and drop the file onto the dialog box.
- Click OK to import the certificate. Viewing CA certificate details
To view a CA certificate’s details:
- Go to System Settings > Certificates > CA Certificates.
- Select the certificates you need to see details about.
- Click View Certificate Detail in the toolbar, or right-click and select View Certificate Detail. The View CA Certificate page opens.
- Click OK to return to the CA certificates list.
Downloading CA certificates
To download a CA certificate:
- Go to System Settings > Certificates > CA Certificates.
- Select the certificate you need to download.
- Click Download in the toolbar, or right-click and select Download, and save the certificate to the management computer.
Deleting CA certificates
To delete a CA certificate or certificates:
- Go to System Settings > Certificates > CA Certificates.
- Select the certificate or certificates you need to delete.
- Click Delete in the toolbar, or right-click and select Delete.
- Click OK in the confirmation dialog box to delete the selected certificate or certificates.
Certificate revocation lists
When you apply for a signed personal or group certificate to install on remote clients, you can obtain the corresponding root certificate and Certificate Revocation List (CRL) from the issuing CA.
The CRL is a list of certificates that have been revoked and are no longer usable. This list includes expired, stolen, or otherwise compromised certificates. If your certificate is on this list, it will not be accepted. CRLs are maintained by the CA that issues the certificates and includes the date and time when the next CRL will be issued as well as a sequence number to help ensure you have the most current version of the CRL.
When you receive the signed personal or group certificate, install the signed certificate on the remote client(s) according
to the browser documentation. Install the corresponding root certificate (and CRL) from the issuing CA on the FortiAnalyzer unit according to the procedures given below.
Importing a CRL
To import a CRL:
- Go to System Settings > Certificates > CRL.
- Click Import in the toolbar, or right-click and select Import. The Import dialog box opens.
- Click .. and locate the CRL file on the management computer, or drag and drop the file onto the dialog box.
- Click OK to import the CRL.
Viewing a CRL
To view a CRL:
- Go to System Settings > Certificates > CRL.
- Select the CRL you need to see details about.
- Click View Certificate Detail in the toolbar, or right-click and select View Certificate Detail. The Result page opens.
- Click OK to return to the CRL list.
Deleting a CRL
To delete a CRL or CRLs:
- Go to System Settings > Certificates > CRL.
- Select the CRL or CRLs you need to delete.
- Click Delete in the toolbar, or right-click and select Delete.
- Click OK in the confirmation dialog box to delete the selected CRL or CRLs.