Description
This article describes how to generate and use necessary certificates using OpenSSL, to enable secure LDAP communication between the fortiGate and the LDAP server (active directory).
Scope
Software tools needed.
- OpenSSL (windows or linux) – for windows version.
- Certreq.
- Basic knowledge of windows cmd, linux bash.
All the files generated, will be kept in the OpenSSL installation directory for simplicity.
Solution
1) Create a Certificate Authority (CA).
- Generate keystore.
- Open windows 'cmd'.
- Go to the openssl.exe installation path.
- Fort this case 'C:\Program Files\OpenSSL-Win64\bin>'and generate the private key. Enter a pass phrase for the key:
openssl genrsa -des3 -out ca.key 4096
- Generate CA Certificate that is valid for 'X' days using the private key:
openssl req -new -x509 -days 'X'-key ca.key -out ca.crtWhen generating the CA certificate, OpenSSL will prompt for the pass phrase entered earlier and several key informations.
'Common Name' is the domain name (domain.com):
Country Name (2 letter code) [AU]: DE.
State or Province Name (full name) [Some-State]: Some-State.
Locality Name (eg, city) []: Some city.
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Test.
Organizational Unit Name (eg, section) []: IT.
Common Name (e.g. server FQDN or a name) []: domain.com.
Email Address []: email@domain.com.
Country Name (2 letter code) [AU]: DE.
State or Province Name (full name) [Some-State]: Some-State.
Locality Name (eg, city) []: Some city.
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Test.
Organizational Unit Name (eg, section) []: IT.
Common Name (e.g. server FQDN or a name) []: domain.com.
Email Address []: email@domain.com.
2) Install the Certificate Authority (CA) ca.crt on the windows domain controller.
- Go to Start-> Run... and type 'mmc'. This will open the 'Add/Remove Snap-in' dialog.
- Go to Start-> Run... and type 'mmc'. This will open the 'Add/Remove Snap-in' dialog.
- Select 'Add...' to open the 'Add Standalone Snap-in' dialog.
- In the 'Add Standalone Snap-in' dialog, select 'Certificates' and select 'Next'.
- Select 'Computer account' and select 'Next'.
- Select 'Local computer' and select 'Finish'.
- Select 'Close' to close the 'Add Standalone Snap-in' dialog.
- Select 'OK' to close the 'Add/Remove Snap-in' dialog.
Once the 'Certificates snap-in' is open, expand the 'Certificates' node under 'Trusted Root Certification Authorities'.
Select the 'Certificates' node, select 'All Tasks': 'Import...', and import the Certificate Authority ('ca.crt') we created in 1).
3) Create a Certificate Signing Request (CSR) using certreq.
On the windows domain controller, create a file request.inf in the same directory as OpenSSL with the following content. Pay attention to the 'Subject' line:
On the windows domain controller, create a file request.inf in the same directory as OpenSSL with the following content. Pay attention to the 'Subject' line:
;----------------- request.inf -----------------Open a cmd in the location of request.inf file and enter:
[Version]
Signature="$Windows NT$"
[NewRequest]
Subject = "CN=dc1.domain.com,OU=IT,DC=dc1,DC=domain,DC=com,O=Domain"
;
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
;----------------- request.inf -----------------
certreq -new request.inf dc1.domain.com.csr
4) Sign the certificate using the CA certificate, it will require to enter the pass phrase for the CA certificate.
Using OpenSSL:
Using OpenSSL:
openssl x509 -req -days 3650 -in dc1.domain.com.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out dc1.domain.com.crt
5) Accept the certificate.
certreq -accept dc1.domain.com.crtThe certificate is installed in the 'Certificates snap-in' under 'Personal'.
If its not there, import the certificate.
6) Iimport the ca.crt file as a CA certificate.
Check if Certificates are enabled under System -> Feature Visibility and select check box of 'Certificates if this is not.
Go to System -> Certificates, select 'Import' , select 'CA Certificate' then select type file, select 'Upload browse' to 'C:\Program Files\OpenSSL-Win64\bin>' and select the ca.crt file.
The certificate will be available in as CA_Cert_1 in External CA Certificates
Go to User & Device -> Ldap Servers and select 'Create New'.
Enter the following:
Name – name of the LDAP server (FortiGate relevant name).
Server IP/Name – fqdn of the LDAP server – our case dc1.domain.com.
Distinguished Name – our case dc=domain,dc=com.
Bind Type: regular.
Username : username used for the bind request.
Password : password for the username used.
Enable Secure Connection.
Choose LDAPS as Protocol.
Select CA_Cert_1 as Certificate.
Also, the certificate is issued in this example to dc1.domain.com, so in the LDAP configuration, use dc1.domain.com in Server IP/Name setting.
Check if the FortiGate can resolve the fqdn, if not, use a DNS server under Network -> DNS that can resolve it.
