Created on 04-23-2020 12:52 AM Edited on 06-08-2022 02:30 PM By Anonymous
Description
This article describes how to generate and use necessary certificates using OpenSSL, to enable secure LDAP communication between the fortiGate and the LDAP server (active directory).
Scope
Software tools needed.
- OpenSSL (windows or linux) – for windows version.
- Certreq.
- Basic knowledge of windows cmd, linux bash.
All the files generated, will be kept in the OpenSSL installation directory for simplicity.
Solution
1) Create a Certificate Authority (CA).
- Generate keystore.
- Open windows 'cmd'.
- Go to the openssl.exe installation path.
- Fort this case 'C:\Program Files\OpenSSL-Win64\bin>'and generate the private key. Enter a pass phrase for the key:
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 'X'-key ca.key -out ca.crtWhen generating the CA certificate, OpenSSL will prompt for the pass phrase entered earlier and several key informations.
;----------------- request.inf -----------------Open a cmd in the location of request.inf file and enter:
[Version]
Signature="$Windows NT$"
[NewRequest]
Subject = "CN=dc1.domain.com,OU=IT,DC=dc1,DC=domain,DC=com,O=Domain"
;
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
;----------------- request.inf -----------------
certreq -new request.inf dc1.domain.com.csr
openssl x509 -req -days 3650 -in dc1.domain.com.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out dc1.domain.com.crt
certreq -accept dc1.domain.com.crtThe certificate is installed in the 'Certificates snap-in' under 'Personal'.
6) Iimport the ca.crt file as a CA certificate.
Check if Certificates are enabled under System -> Feature Visibility and select check box of 'Certificates if this is not.
Go to System -> Certificates, select 'Import' , select 'CA Certificate' then select type file, select 'Upload browse' to 'C:\Program Files\OpenSSL-Win64\bin>' and select the ca.crt file.
The certificate will be available in as CA_Cert_1 in External CA Certificates
Go to User & Device -> Ldap Servers and select 'Create New'.
Enter the following:
Name – name of the LDAP server (FortiGate relevant name).
Server IP/Name – fqdn of the LDAP server – our case dc1.domain.com.
Distinguished Name – our case dc=domain,dc=com.
Bind Type: regular.
Username : username used for the bind request.
Password : password for the username used.
Enable Secure Connection.
Choose LDAPS as Protocol.
Select CA_Cert_1 as Certificate.
Also, the certificate is issued in this example to dc1.domain.com, so in the LDAP configuration, use dc1.domain.com in Server IP/Name setting.
Check if the FortiGate can resolve the fqdn, if not, use a DNS server under Network -> DNS that can resolve it.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.