Hot!Problem with SSL certificate package from a CA

Author
jm75
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/10/25 12:51:20
  • Status: offline
2018/11/05 14:19:59 (permalink)
0

Problem with SSL certificate package from a CA

Hello,
 
I'm using Forti OS 5.6.3 on a Fortigate 200D.
 
I've bought domain SSL certificate. I've followed the (old) procedure https://docs.fortinet.com/d/fortigate-how-to-purchase-and-import-a-signed-ssl-certificate ("Purchase and Import a signed SSL Certificate").
From the Web UI, I've generated the CSR (RSA 4096 bits with a password for private key), and submit it to the certificate seller. This one give me the informations to get two .crt files, one for my domain, the second for the Intermediate Certificate. I've imported the two .crt in the Web UI (System/Certificates), and I've found them in "Certificates" and "External CA Certificates". The domain certificate's status was witch the status OK.
But my new domain certificate, was not in the list "Server Certificate" in "VPN/SSL-VPN Settings".
 
What is bad in my procedure?
Should I import the Root CA Certificate too on the Fortigate?
 
Thanks for your help.
 
JM
 
 
 
 
 
#1

9 Replies Related Threads

    zhunissov4
    Gold Member
    • Total Posts : 246
    • Scores: 20
    • Reward points: 0
    • Joined: 2015/10/12 04:00:01
    • Status: offline
    Re: Problem with SSL certificate package from a CA 2018/11/05 20:32:41 (permalink)
    0
    Hello, 
     
    There is no need to import CA certificate. 
     
    I am using self signed certificate (signed on Windows Server CA) and it is in Certificate section and appears in SSL-VPN settings. 
     
     
     
    #2
    emnoc
    Expert Member
    • Total Posts : 5062
    • Scores: 307
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Problem with SSL certificate package from a CA 2018/11/05 22:43:00 (permalink)
    0
    Did you do this from the Web GUI? You might need to  copy/paste the cert via cli 
     
    config vpn certificate local  { irrc }
     
     Once the crt file is matched to the   certificate, you can select it for the vpn-services.
     
    Ken 

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #3
    jm75
    New Member
    • Total Posts : 7
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/10/25 12:51:20
    • Status: offline
    Re: Problem with SSL certificate package from a CA 2018/11/06 02:18:27 (permalink)
    0
    Hello,

    Thanks.
     
    I've used the CLI for import the domain certificate (and Web UI for the Intermediate CA Certificate).
    The status certificate have changed from Pending to OK.
     
    I've tried to use these commands:
    config vpn ssl settings
    unset servercert
    set servcert + Key Tab
    Only the current certificate is shown (Fortinet_Factory, and not the other ones)
    And if use the "sert servcert Fortinet_SSL_Portail", ("Fortinet_SSL_Portail" is our domain certificate) the command fails (return code -3)
     
    Is there something special with FortiOs 5.6.3?
     
    JM
    #4
    sw2090
    Gold Member
    • Total Posts : 234
    • Scores: 10
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: Problem with SSL certificate package from a CA 2018/11/07 05:50:41 (permalink)
    0
    I'd assume you have the wrong certificate type.
    For SSL VPN you will need a certificate capable of signing.
    For SSL Inspection you will need a sub ca certificate even.
    #5
    jm75
    New Member
    • Total Posts : 7
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/10/25 12:51:20
    • Status: offline
    Re: Problem with SSL certificate package from a CA 2018/11/07 07:44:29 (permalink)
    0
    Thanks sw2090.
    In the details of the new certificate I see:
    X509v3 Key Usage: Digital Signature, Key Encipherment
    X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication
    I suppose it's good for SSL VPN ?
     
    Jm
    #6
    sw2090
    Gold Member
    • Total Posts : 234
    • Scores: 10
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: Problem with SSL certificate package from a CA 2018/11/08 03:02:01 (permalink)
    0
    "
    While the default self-signed certificates can be used for HTTPS connections, it is preferable to use the X.509 server certificate to avoid the redirection as it can be misinterpreted as possible session hijacking. However, the server certificate method is more complex than self-signed security certificates. Also the warning message is typically displayed for the initial connection, and future connections will not generate these messages.
    X.509 certificates can be used to authenticate IPsec VPN peers or clients, or SSL VPN clients. When configured to authenticate a VPN peer or client, the FortiGate unit prompts the VPN peer or client to authenticate itself using the X.509 certificate. The certificate supplied by the VPN peer or client must be verifiable using the root CA certificate installed on the FortiGate unit in order for a VPN tunnel to be established."
     
    Is what the online help of one my FGT says about this.
    After signing your CSR as what did you import it? Local Cert? CA? ...
    Maybe you imported it as the wrong kind (struck me once too ;) ).
    #7
    jm75
    New Member
    • Total Posts : 7
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/10/25 12:51:20
    • Status: offline
    Re: Problem with SSL certificate package from a CA 2018/11/08 05:24:43 (permalink)
    0
    Hi,
    I've imported the intermediate as CA certificate (shown under "External CA Certificates" on the Web UI interface) and the domain certicate as "Local Certificate" (shown under "Certificates" section on the Web UI).
    I've followed, I think (??) the steps given in the "Purchase and Import a Signed SSL Certificate" Fortinet document.
    I have a case opened and Fortinet ask me to use a 2048 bits key size and not a 4096 bits. With a new certificate reissued by my CA, the problem is the same.
    For the moment, I don't know if there is something wrong (that's the first time I'm using these features), in my operations, or in the certificate's type I've bought.
     
    Jm
    #8
    jm75
    New Member
    • Total Posts : 7
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/10/25 12:51:20
    • Status: offline
    Re: Problem with SSL certificate package from a CA 2018/11/08 14:24:00 (permalink)
    0
    Hello,
     
    A clue: I've seen that the current certificate selected "Fortinet_Factory" is the only with no password shown in the command (CLI) "show vpn certificate local ".  The other ones  with password are not proposed in the interface (Web UI or CLI).
    ???
     
    Jm
    #9
    jm75
    New Member
    • Total Posts : 7
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/10/25 12:51:20
    • Status: offline
    Re: Problem with SSL certificate package from a CA 2018/11/08 18:26:47 (permalink)
    0
    It seems Fortigate doesn't accept too long certificate names. Mine was 21 characters long. Or may be a naming problem. Some of the names of the embedded certificates are long too, and cannot be selected.
    My certificate with a shorter name, can be selected no, for web management console, and VPN setting.
     
    Thanks to those who have spent time talking to me about this problem
     
    Jm
    post edited by jm75 - 2018/11/09 01:37:06
    #10
    Jump to:
    © 2018 APG vNext Commercial Version 5.5