Created on 05-01-2015 10:33 AM Edited on 11-24-2022 02:48 PM By auppal
Description
This article explains how to generate a CSR in the FortiGate CLI.
Solution
To generate a CSR from the FortiGate CLI, the following command can be used –
'execute vpn certificate [store] generate [...]'
Command Syntax:
execute vpn certificate [store] generate [encryption_method] [certificate_name] [key_size] [Host IP/Domain Name/E-Mail] [Country Name or Code] [State/Province] [City] [Organization] [Organization Unit] [Email] [SANs - optional] [URL of the CA server for signing via SCEP (optional)]
Command Options:
store: ca, crl, local, remote
encryption_method: rsa, elliptic curve
cert_name: Name for Certificate, purely meant as an indentifier
key_Size: Key Encyrption Size, Options are 1024, 1536, 2048, 4096
Host IP/Domain Name/E-Mail: Common Name, the name the certificate is signed for
Country: Country name or Country Code such as CA (Canada)
State/Province: State or Province Name such as BC (British Columbia)
City: City Name
Organization: Organization Name
Organization Unit: Organizational Unit, similar to Directories in a Directory Service
Email: Email address for IT Contact
SANS: Other accepted names, should include CN if CN is to be accepted
SAN Syntax
Email: email:admin@companyname.com
IP Address: IP:1.1.1.1
URL: URI:http://companyname.com
DNS Name: DNS:www.companyname.com
Note - Multiple SANs should be separated by comma (,) and without a space such as DNS:www.companyname.com,DNS:www.companyname1.com,DNS:www.companyname2.com
SCEP: URL of the CA server for signing via SCEP
Example:
# execute vpn certificate local generate rsa TestCSR 2048 companyname.com CA ON Ottawa Fortinet HR admin@companyname.com DNS:companyname.com,DNS:companyname1.com
Field Values -
Certificate Name: TestCSR
Key Size: 2048
CN: companyname.com
Country: CA (Canada)
State/Province: ON (Ontario)
City: Ottawa
Organization: Fortinet
OU: HR
Email: admin@companyname.com
SANS:
>DNS Name=companyname.com
>DNS Name=companyname1.com
Important Notes
1) Multiple values to a field can be entered by a using a comma (,) without using a space. For example:
When using a comma the FortiGate give us an option to add another email instead of the next field.
2. Every field is separated by a space which indicates a start of the next expected field in the syntax. So, if given a space while providing multiple values for a single field, the FortiGate will put the value in the next field. For example -
By putting a space after a comma (,) in the SAN field, the FortiGate expects SCEP instead of another DNS name.
If multiple SANs are added with a space after the comma, it will produce the following error -
This is expected because now the FortiGate is expecting DNS:companyname1.com as SCEP value instead of the SAN.
3. Once the CSR is generated successfully, a CSR decoder tool can be used to confirm the values of each field. Download the CSR > Open using a text editor > Copy and paste the content in a CSR decoder. For example -
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.