Hey thank you for your help. I'd like to go with microsoft cert manager option but i would be very thankfull if you could find a good guide about it and send me the link... i found some but i'm not sure if its about using the mmc console and Creating a Custom Request? after the wizard i end up with a "request file"

-----BEGIN NEW CERTIFICATE REQUEST-----

-----END NEW CERTIFICATE REQUEST-----

How can i get a new firmware for Fortigate 60E? I'm unable to generate this csr and crt, not even on 600D device. I mean, i can generate the csr via GUI, but i can't get it signed at CA because of invalid country code error. Can Fortinet team assist please?

I tried certmgr myself now because I was interested in how it works.

I did generate me a csr file that looks fine so far. However I didn't try to sign it.

Thus I found it rather complicated. There's is plenty of options etc you have to add after creating the request because the wizard don't ask you for it. 

If you are bound to an AD you might not even be able to use it because it then binds itself to the Ad und uses th epolicies from the AD and those could prevent that.

I find openssl much more easier if you cannot do it on the FGT itself :)

agreed

OP I built you a template if your doing a lot of CSR and have linux/windows/macosx and openssl. It would only requite you to gernerate the key  and call up the config file. This will generate a SAN style CSR where the altname would be your website name(s) etc....

e.g

openssl req -new -out my.csr -config csr_template   

=====================CSR TEMPLATE FOR HR ===================

# # insert your O OU STATE CITY blah blah blah  and adjust keysize as required

[ req ] prompt = no default_bits = 2048 distinguished_name = req_distinguished_name req_extensions = req_ext

[ req_distinguished_name ] C=HR ST=Croatia Zagreb L=Zagreb HR O=yourdomain OU=yourdomain dept CN=for_forum_memeber_as_an_example

[ req_ext ] subjectAltName = @alt_names

[alt_names] DNS.1 = www.example.com DNS.2 = www1.example.com DNS.3 =  example.com

===================================================================

You can do the same thing within windows but I'm a openssl guy. ;)

Once you get the csr sign and cert back, you bundle the cetr+priv-key and import into the fortigate as a pkcs file

e.g

   openssl pkcs12 -export -out mycertbundle.pfx -inkey myprivkey.key -in signed_cert_from_ca.crt 

So if the CSR generation on the fortigate gives you issue use openssl and build out your CSR.

YMMV depending on how comfortable you are with  openssl and your understanding of x509 PKI

edit add -keyout <priv-key-filename> when doing the csr template if you don't want to copy the begin-private key to end private key details to a file

e.g

/* this stuff

-----BEGIN ENCRYPTED PRIVATE KEY----- MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIQwCPEofDWS4CAggA MBQGCCqGSIb3DQMHBAjjyRokiMcUIgSCBMg2+ZNlIZvEsPaARt2W9ICPgsxhw0be E9Wqd5vsNONETibDVqX2Aeciwh1sgmlX6Yz5TdAFJf+Fbj42JDTRkQVv/wunZeFw akd0Cl3l7cU1mEb1ZbOlor/a9IkZBImWmYSEYrITlt6Xc3FsLkUQU9sPzYWnB844 E6E= -----END ENCRYPTED PRIVATE KEY-----

good luck

Ken Felix