Scribd
Upload
187 views4 pages

Install and Configure Self Signed Certificate

The document provides instructions for installing and configuring a self-signed certificate for SSL inspection on a FortiGate firewall. It describes how to: 1. Generate an RSA key and self-signed certificate using OpenSSL. 2. Enable certificate configuration in the FortiGate GUI. 3. Import the self-signed certificate into the FortiGate.

Uploaded by

Pravin
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
187 views4 pages

Install and Configure Self Signed Certificate

The document provides instructions for installing and configuring a self-signed certificate for SSL inspection on a FortiGate firewall. It describes how to: 1. Generate an RSA key and self-signed certificate using OpenSSL. 2. Enable certificate configuration in the FortiGate GUI. 3. Import the self-signed certificate into the FortiGate.

Uploaded by

Pravin
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

Install and configure Self Signed Certificate.

1. Creating a certificate with OpenSSL

If necessary, download and install Open SSL. Make sure that the file openssl.cnf is located in
the BIN folder for OpenSSL.
Using Command Prompt (CMD), navigate to the BIN folder (in the example, the command is cd
c:\OpenSSL\openssl-0.9.8h-1-1bin\bin.
Generate an RSA key with the following command:
OpenSSL genrsa -aes256 -out fgcaprivkey.pem 2048 -config openssl cnf
This RSA key uses AES 256 encryption and a 2058-bit key.
When prompted, enter a pass phrase for encrypting the private key.
Use the following command to launch OpenSSL, submit a new certificate request, and sign the
request:
openssl req - new -x509 -days 3650 -extensions v3_ca -key fgcaprivkey.pem -out
fgcacert.pem - config openssl.cnf
The result is a standard x509 binary certificate that is valid for 3,650 days (approx. 10 years)
When prompted, re-enter the pass phrase for encryption, then enter the details required for the
certificate request, such as location and organization name.
Two new files have been created: a public certificate (fgcacert.pem) and a private key (in the
example, fgcaprivkey.pem).

2. Enabling certificate configuration in the GUI

Go to System > Feature Select. Under Additional Features, enable Certificates and Apply the


changes.

3. Importing the self-signed certificate

Go to System > Certificates and select Import> Local Certificate.


Set Type to Certificate, then select your Certificate file and Key file. Enter the Password used
to create the certificate.
The certificate now appears on the Local CA Certificates list.

4. Edit the SSL inspection profile

To use your certificate in an SSL inspection profile go to Security Profiles > SSL/SSH
Inspection. Use the dropdown menu in the top right corner to select deep-inspection, the
profile used to apply full SSL inspection.

Set CA Certificate to use the new certificate.


Select Download Certificate, to download the certificate file needed in the next step.

5. Importing the certificate into the web browser

Internet Explorer, Chrome, and Safari (on Windows or Mac OS):

The above browsers use the operating system’s certificate store for Internet browsing. If your
users will be using these applications, you must install the certificate into the certificate store
for your OS.
If you are using Windows 7/8/10, double-click on the certificate file and select Open.
Select Install Certificate to launch the Certificate Import Wizard.
Use the wizard to install the certificate into the Trusted Root Certificate Authorities store. If a
security warning appears, select Yes to install the certificate.
If you are using Mac OS X, double-click on the certificate file to launch Keychain Access.
Locate the certificate in the Certificates list and select it. Expand Trust and select Always
Trust. If necessary, enter the administrative password for your computer to make this change.
If you have the right environment, the certificate can be pushed to your users’ devices. However,
if Firefox is used, the certificate must be installed on each individual device, using the
instructions below.

Firefox (on Windows or Mac OS)

Firefox has its own certificate store. To avoid errors in Firefox, then the certificate must be
installed in this store, rather than in the OS.
Go to Tools > Options > Advanced or Firefox >Preferences > Advanced and find
the Certificates tab.
Select View Certificates, then select the Authorities list. Import the certificate and set it to be
trusted for website identification.

You might also like