Description
This article describes how to use an externally signed certificate for FortiAuthenticator Web UI login.
Related link.
https://docs.fortinet.com/document/fortiauthenticator/6.0.0/administration-guide/680847/how-this-gui...
Solution
This solution discusses log in using FortiAuthenticator using externally signed certificates.
1) Import root CA.
Go to Certificate Management -> Certificate Authorities -> trusted CAs and select 'Import'.
2) This opens another page to choose any name for 'Certificate ID'. Select 'Choose File' to import .cer file.
3) Follow the same steps to import the intermediate CA.
4) Import signed certificate. Go to Certificate Management -> End Policies -> Local Services and select 'Import'.
3) Follow the same steps to import the intermediate CA.
4) Import signed certificate. Go to Certificate Management -> End Policies -> Local Services and select 'Import'.
Note.
FortiAuthenticator accepts PKCS12 certificate in .p12 format or .cer with key file.
5) Go to System -> Administration -> System Access -> HTTPS certificate.
Choose the domain certificate here that got signed from external CA.
This will be the certificate presented by FortiAuthenticator Web UI to the browser.
Go to Certificate Authority type, make sure to select Trusted CA in bullet options.
Go to Certificate Authority type, make sure to select Trusted CA in bullet options.
In 'CA certificate that issued the server certificate' option, select the imported intermediate CA (not root CA) certificate from the drop-down list.
Now log out the Web UI and log back in to test the implementation.
6) Troubleshooting:
If on import of a certificate in PFX or P12 file format you encounter the following error message:
Unsupported cipher algorithm. This can happen if the PKCS12 file uses unsupported weak ciphers, e.g. RC2. Use the OpenSSL command 'openssl pkcs12 -info -in <file>' to view the file's ciphers on a computer.
You can do exactly that and get more information about the file like this:
openssl pkcs12 -info -in fortilab.pfx -legacyYou can either try to find the split certificate files that are private and public key, usually coming as .key file and as cer/crt/pem file.
If you only have the PFX you might also be able to use openSSL to split the files as follows:
openssl pkcs12 -in fortilab.pfx -out fortilab.pem -nokeys -legacy -clcerts
openssl pkcs12 -in fortilab.pfx -out fortilab.key -nocerts -nodes -legacy You will be asked each time for the passphrase, if any, and there will be no output, just a resulting file fortilab.pem and fortilab.key. Uploading these should work. If these are also not accepted, the key material itself is using outdated encryption.
