FortiNAC
SSL Certificates How To
Version: 8.3, 8.5, 8.6, 8.7, 8.8
Date: February 19, 2021
Rev: K
2
FORTINET DOCUMENT LIBRARY
http://docs.fortinet.com
FORTINET VIDEO GUIDE
http://video.fortinet.com
FORTINET KNOWLEDGE BASE
http://kb.fortinet.com
FORTINET BLOG
http://blog.fortinet.com
CUSTOMER SERVICE & SUPPORT
http://support.fortinet.com
FORTINET COOKBOOK
http://cookbook.fortinet.com
NSE INSTITUTE
http://training.fortinet.com
FORTIGUARD CENTER
http://fortiguard.com
FORTICAST
http://forticast.fortinet.com
END USER LICENSE AGREEMENT
http://www.fortinet.com/doc/legal/EULA.pdf
3
Contents
Overview ................................................................................................................................................ 5
Procedure Overview ........................................................................................................................... 5
Certificate Options ............................................................................................................................. 6
Certificate Authority (CA) Options ................................................................................................... 6
Create Certificate for Use with Multiple PODs ................................................................................ 8
Administration UI Instructions .......................................................................................................... 12
UI Method: Obtaining a Valid SSL Certificate from CA ............................................................... 12
UI Method: Upload the Certificate Received from the CA ............................................................. 15
Copying a Certificate to Another Target ......................................................................................... 16
UI Method: Activating Certificates ................................................................................................. 16
CLI Instructions .................................................................................................................................. 17
CLI Method: (FNC-M and FNC-CA models) ................................................................................... 18
Obtaining a Valid SSL Certificate from a Certificate Authority (CA) ........................................ 18
Import and Activate Certificates ................................................................................................. 20
CLI Method: (Control Server/Application Server Pair) .................................................................. 22
Obtaining a Valid SSL Certificate from a Certificate Authority (CA) ........................................ 22
Import and Activate Certificates ................................................................................................. 24
Securing Administration UI ........................................................................................................ 25
Securing Agent and Captive Portal ............................................................................................. 25
Validate ............................................................................................................................................... 27
Create Certificate Expiration Warning Alarms ................................................................................. 27
Renew a Certificate ............................................................................................................................. 28
Administration UI Method .............................................................................................................. 28
CLI Method ...................................................................................................................................... 28
Troubleshooting ................................................................................................................................... 29
Common Causes for Certificate Upload Errors .............................................................................. 29
Appendix .............................................................................................................................................. 30
Create SSL Certificate Bundle ........................................................................................................ 30
Keystore for SSL/TLS Communications ......................................................................................... 31
SSL File Conversion Tools ............................................................................................................... 32
UI Method: Issuing a Self-Signed Certificate ................................................................................ 33
4
Import Self-Signed Certificates ....................................................................................................... 33
Generate New Self-Signed Certificate ............................................................................................ 35
5
Overview
SSL certificates are required in order to secure FortiNAC communications:
Administration UI
Captive Portal
FortiNAC agents
LDAP servers
Local RADIUS Server (FortiNAC version 8.8 and above)
o Local RADIUS Server (EAP)
o RADIUS Endpoint Trust (EAP-TLS)
FortiClient EMS integrations (FortiNAC version 8.5 and above)
Nozomi systems integrations (FortiNAC version 8.6 and above)
This document provides the steps necessary to generate and install SSL certificates in
FortiNAC.
Procedure Overview
Note: In High Availability configurations, steps 1-4 are performed on the Primary Server.
1. Obtain a Valid SSL Certificate from a Certificate Authority (CA)
A Certificate Signing Request (CSR) is issued and submitted to the Certificate
Authority (examples are GoDaddy, DigiCert and GlobalSign). Depending upon the
type of certificate, the CSR may be generated in FortiNAC, or from another source.
The CA then issues the certificates based on the CSR.
Note: FortiNAC does not have the ability to issue certificates.
2. Upload the Certificate Received from the CA
Once the certificates are received from the CA, these files must be installed on
FortiNAC for the appropriate target (Administration UI, Captive Portal, Persistent
Agent).
3. Activate Certificates
Depending upon the target, additional steps are necessary in order for the certificate
usage to take effect.
4. Create Certificate Expiration Warning Alarms
To avoid potential agent communication and web access issues with FortiNAC, create
alarms to notify when FortiNAC's SSL Certificate is approaching its expiration date.
5. L2 and L3 High Availability Configurations: After performing the above steps on
the Primary Server, apply certificates to the Secondary Server. There are two
application method options: UI (requires failover) and CLI (does not require failover).
6
Administration UI Method (Requires HA Failover)
Note: FortiNAC management processes are stopped twice using this method and may
require a maintenance window.
1. Secure the Primary Appliance using.
2. Force Failover.
3. Secure Secondary Appliances.
4. Restore Control to Primary Appliances.
For instructions to force failover and restore, refer to the High Availability reference
manual.
CLI Method (Does Not Require HA Failover)
Secure Secondary Appliances via CLI. Proceed to CLI Instructions or contact Support for
assistance.
Certificate Options
Subject Alternative Name (SAN) Certificates
A SAN certificate can be used to secure multiple host names and/or IP addresses. For
example, in a Layer 2 HA environment the virtual, Primary, and Secondary appliance host
names and their corresponding IP addresses can all be secured with one certificate.
Wildcard Certificates
Wildcard certificates can be issued by generating a Certificate Signing Request (CSR) in FortiNAC
or a third party.
Requirements
The Wildcard Private Key cannot be password protected.
The actual Fully-Qualified Host Name must be entered in the Fully-Qualified Host Name
field under System > Settings > Portal SSL. Entering the wildcard name in this field will
cause the application of the certificate to fail.
Certificate Authority (CA) Options
SSL Certificates can be issued from the following Certificate Authorities (CA):
Corporate Owned Internal CA - certificates issued from within the organization. You
may act as your own Certificate Authority (CA) and use your own internal certificate, as
long as all systems in your domain use the same certificate.
7
Recommended for securing the Administration UI and Agent.
Certificate types:
o Individual
o SAN
Third party public - certificates issued from Certificate Authorities like GoDaddy,
DigiCert, GlobalSign, etc.
Recommended for securing the Captive Portal (in most cases, devices attempting to register
through the portal will not have an internal certificate).
Certificate types:
o Individual
o SAN
o Wildcard
Self-Signed - FortiNAC issues its own certificate. This option is not as secure, but is an
option in situations where a new certificate is not yet available and one is needed (e.g.
Administration UI). Important: This type of certificate cannot be used for the Persistent
Agent certificate target (for Persistent Agent communication) or the Portal target when
using Dissolvable Agents.
8
Create Certificate for Use with Multiple PODs
If a wildcard or SAN certificate needs to be created to use with multiple PODs, create the
certificate on one POD and install the certificate and Private Key files on all the PODs.
1. Login to the Administration UI of one of the PODs and generate the CSR (when requesting
a SAN, ensure the names of all appliances that will be using the certificate are included).
UI Method: Obtain a Valid SSL Certificate from CA
2. Once the certificates are received from the CA, login to the POD which the CSR was
generated and install the certificates. Refer to the following sections:
a. UI Method: Upload the Certificate Received from the CA
b. Copying a Certificate to Another Target
c. UI Method: Activating Certificates
3. Copy the key to a text file.
a. In Certificate Management, highlight one of the Certificate targets that now has the
certificate installed and click Details.
b. Click on the Private Key tab.
c. Copy the content to a text file and save. Ensure the complete content is captured.
Example:
-----BEGIN RSA PRIVATE KEY-----
...Private Key Data...
-----END RSA PRIVATE KEY-----
4. Login to the Administration UI of the next POD.
5. Follow the instructions in section UI Method: Upload the Certificate Received from the
CA noting the following:
a. Choose Private Key option Upload Private Key.
b. Choose the Private Key file created in the previous step.
c. Upload the same certificate files as in the previous POD.
6. Proceed to complete the upload and activation of certificates for the POD
Copying a Certificate to Another Target
UI Method: Activating Certificates
7. Repeat steps 4 through 6 for each POD.
12
Administration UI Instructions
The following describes how to obtain a certificate from the Certificate Authority, upload
the certificate, copy the certificate to another target, and activate the certificate from the
Admin UI.
UI Method: Obtaining a Valid SSL Certificate from CA
If a Certificate Signing Request (CSR) has not yet been issued, create one in FortiNAC. If a
certificate has already been generated, proceed to section Upload the Certificate Received from
the CA.
To generate a CSR:
1. Select System > Settings
2. Expand the Security folder.
3. Select Certificate Management from the tree.
4. Click Generate CSR.
Figure 1: Generate CSR
13
5. Select the certificate target.
Admin UI: Generates CSR for the Administration User Interface.
Local RADIUS Server (EAP): For use when FortiNAC is acting as the
802.1x EAP termination point. For details see Local RADIUS Server.
Persistent Agent: Generates CSR for Communications between
FortiNAC and the Persistent Agent.
Portal: Generates a CSR to secure the Captive Portal and Dissolvable
Agent communications.
RADIUS Endpoint Trust: Endpoint Trust Certificate used by FortiNAC
to validate the client-side certificate when Local RADIUS Server is
configured and EAP-TLS is used for authentication. For details see
section Local RADIUS Server of the Administration Guide in the
Fortinet Document Library.
6. Enter the Common Name (Fully-Qualified Host Name). This is the Host Name to be
secured by the certificate. If generating a wildcard CSR, enter the desired domain
specifying the wildcard in the Common Name Field (e.g. *.Fortinetnetworks.com).
7. Enter the remaining information for the certificate in the dialog box.
8. Click OK to generate the CSR.
Figure 2: Generated CSR
14
9. Copy the section with the certificate request to include the following:
-----BEGIN CERTIFICATE REQUEST-----
...Certificate Request Data...
-----END CERTIFICATE REQUEST-----
10. Paste it into a text file, and save the file with a .txt extension. Note the location
of this file on your PC.
11. Click OK to exit the "Certificate Generated" screen.
12. Send the Certificate Request file to the CA to request a Valid SSL Certificate. Note the
following before submitting:
Not all Certificate Authorities ask for the same information when
requesting a certificate. For example, some CA's ask for a server type (apache,
etc) while others do not. If prompted, choose apache. FortiNAC requires a non-
encrypted certificate in one of the following formats:
PEM
*
DER
PKCS
#7
P7B
*Note: If the certificate will be installed on another system via CLI, choose PEM.
Otherwise, the files will need to be converted later on when installing the certificates
using CLI (see Appendix section SSL File Conversion Tools).
Certificate requests generated on FortiNAC use the SHA1 RSA
encryption signature. However, certificates with SHA2 encryption can be
requested using this CSR.
Agent versions prior to 3.1.5 are not compatible with SHA2. Contact
Support to verify appropriate SHA version based on current deployment.
Do not generate a new CSR for the same target after submitting request to
CA. When a certificate request is generated, a matching private key is stored on
the appliance in a temporary location. When the resulting certificate is obtained
from the authority and uploaded, the matching private key is then moved into the
live certificate configuration location. As such, generating more than one certificate
request for a single target will overwrite the previous private key stored in the
temporary location with a new private key. Certificates obtained using the initial
certificate request would then be invalid as the private key stored in the temporary
location would no longer match.
Proceed to Upload the Certificate Received from the CA.
Important: Make sure there are no spaces, characters or carriage returns added to the
Certificate Request.
15
UI Method: Upload the Certificate Received from the CA
Upload the valid SSL certificate to the appliance when the certificate file is returned from
the CA. Certificate files can be returned to you in one of several configurations. Depending
upon the CA, one or multiple certificate files may be returned.
Figure 3: Upload Certificate
1. Save the file(s) received from the CA to your PC.
2. Select System > Settings.
3. Expand the Security folder.
4. Select Certificate Management from the tree.
5. Click Upload Certificate.
6. Select the target where the certificate will be uploaded.
Admin UI: Secures the Administration User Interface.
Local RADIUS Server (EAP): For use when FortiNAC is acting as the
802.1x EAP termination point. For details see Local RADIUS Server.
Persistent Agent: Secures the communications between FortiNAC and the
Persistent Agent.
Portal: Secures the captive portal and communications between FortiNAC and the
Dissolvable Agent.
RADIUS Endpoint Trust: Endpoint Trust Certificate used by FortiNAC to
validate the client-side certificate when Local RADIUS Server is configured
and EAP-TLS is used for authentication. For details see section Local
RADIUS Server of the Administration Guide in the Fortinet Document
Library.
7. Do one of the following:
Select Use Private Key from Last Generated CSR to use the key from the most
recent CSR for the selected target.
Select Reuse Private Key from Existing Certificate to use the private key for
the certificate currently in use. This option is for renewing an existing installed
certificate.
Select Upload Private Key to upload a key stored outside FortiNAC. Click
16
Choose to find and upload the private key.
8. Click the Choose File button to find and select the certificate to be uploaded. Users
can also upload CA certificates and CA bundles.
9. Click the Add Certificate button if multiple certificates were returned. Use this to
enter each additional certificate file.
10. Click OK.
Copying a Certificate to Another Target
If the certificate is intended to be used for multiple targets, copy the certificate to the new
target:
1. Highlight the target with the desired certificate installed.
2. Click Copy Certificate.
3. Select the new target from the drop-down menu.
4. Click OK.
UI Method: Activating Certificates
Certificates for the Administration User Interface and Persistent Agent activate automatically
upon installation. No further action is required.
To begin using the certificate when connecting to the Portal, do the following:
1. Navigate to System > Settings.
2. Expand the Security folder, and then click Portal SSL.
3. In the SSL Mode field, select Valid SSL Certificate.
4. Click Save Settings (this may take several minutes).
Proceed to Validate.
17
CLI Instructions
The following describes how to obtain a certificate from the Certificate Authority, upload the
certificate, and activate the certificate from the CLI. Click on the appropriate link to
proceed:
FortiNAC Server: FNC-M and FNC-CA models
FortiNAC Control/Application Server pair
18
CLI Method: (FNC-M and FNC-CA models)
Note: In order to secure the Captive Portal, the certificate files need to be placed in the
/bsc/siteConfiguration/apache_ssl directory of the FortiNAC Server and must use the file
names server.key, server.crt and server.ca-bundle. These files can then be used to
secure the Admin UI and Persistent Agent certificate targets using the
ImportCertificateWithKey command.
Even if the portal will not be used, the files can still be saved in the apache_ssl directory
using these names for consistency purposes.
Obtaining a Valid SSL Certificate from a Certificate Authority (CA)
If a Certificate Signing Request (CSR) has not yet been issued, create one in FortiNAC.
1. Log into FortiNAC as root.
2. Navigate to /bsc/siteConfiguration/apache_ssl and generate the Certificate
Request. Type
openssl req -newkey rsa:2048 -new -keyout encrypted.key -days 1095 -out
certificaterequest.csr
3. Enter the appropriate information. If generating a wildcard CSR, enter the desired domain
specifying the wildcard in the Common Name Field (e.g. *.Fortinetnetworks.com).
Example input:
Generating a 2048 bit RSA private key
........+++
.....+++
writing new private key to 'encrypted.key' Enter PEM
pass phrase: Fortinet
Verifying - Enter PEM pass phrase: Fortinet
-----
You are about to be asked to enter information that will be incorporated into your
certificate request.
What you are about to enter is what is called a Distinguished Name or a DN. Th ere are
quite a few fields but you can leave some blank For some fields there will be a default
value.
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:New Hampshire Locality
Name (eg, city) [Newbury]:Concord
Organization Name (eg, company) [My Company Ltd]:Fortinet Organizational Unit Name
(eg, section) []:Information Technology
Common Name (eg, your name or your server's hostname) []:svm1-1200.Fortinetnet works.com
Email Address []:.
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:.
An optional company name []:.
19
Two files are created: the Private Key (encrypted.key) and the Certificate Signing Request
(certificaterequest.csr).
4. Decrypt the Private Key using the PEM pass phrase entered in previous step. An
unencrypted Private Key is created.
openssl rsa -in encrypted.key -out server.key
5. Enter pass phrase for encrypted.key: Fortinet
writing RSA keywill display.
6. Type
cat server.key
The key should have the following format:
-----BEGIN RSA PRIVATE KEY-----
...Private Key Data...
-----END RSA PRIVATE KEY-----
7. Type
cat certificaterequest.csr
The certificate should have the following format:
-----BEGIN CERTIFICATE REQUEST-----
...Certificate Request Data...
-----END CERTIFICATE REQUEST-----
The Certificate Request can be viewed with the below command:
openssl req -noout -text -in certificaterequest.csr
8. Submit the certificate request file (certificaterequest.csr) to the CA. If requesting a SAN
certificate, provide the FQDN of all appliances to be secured. The amount of time it takes
for the CA to respond with the certificate files after CSR submission will vary. Note the
following before submitting:
Not all Certificate Authorities ask for the same information when requesting
a certificate. For example, some CA's ask for a server type (apache, etc) while others
do not. If prompted, choose apache. FortiNAC requires a non-encrypted certificate.
Use PEM format.
Certificate requests generated on FortiNAC use the SHA1 RSA encryption
signature. However, certificates with SHA2 encryption can be requested using this
CSR.
Agent versions prior to 3.1.5 are not compatible with SHA2. Contact Support
to verify appropriate SHA version based on current deployment.
Do not generate a new CSR for the same target after submitting request to CA.
When a certificate request is generated, a matching private key is stored on the
20
appliance in a temporary location. When the resulting certificate is obtained from the
authority and uploaded, the matching private key is then moved into the live certificate
configuration location. As such, generating more than one certificate request for a
single target will overwrite the previous private key stored in the temporary location
with a new private key. Certificates obtained using the initial certificate request would
then be invalid as the private key stored in the temporary location would no longer
match.
Import and Activate Certificates
After receiving the certificate files from the CA, upload them to FortiNAC. The Certificate Authority
will generally return:
Certificate
CA bundle containing any intermediate and root certificates to ensure authenticity of
the certificate.
The certificate, the key, and bundle (containing only the intermediate and root certificates) must be
in separate files.
1. Log into the server as root. Copy the certificate files received from the CA to
/bsc/siteConfiguration/apache_ssl
2. If several intermediate certificate files are received (as opposed to a single CA bundle), the
files should be merged into a bundle. Complete the steps in Appendix section Create SSL
Certificate Bundle before proceeding.
3. If CSR was not generated in FortiNAC, verify Private Key is in RSA format. Type:
cat <filename>
Header should look like this: -----BEGIN RSA PRIVATE KEY-----
If Key Header looks like this: -----BEGIN PRIVATE KEY-----
The Key is not in the correct format and needs to be converted. Covert the file by running
the following command (on a Linux server):
openssl rsa -in <old_file_name> -out <new_file>
Complete SSL Certificate installation using the newly converted Private Key file.
4. Backup the existing .keystore file. Type
cp /bsc/campusMgr/.keystore /bsc/campusMgr/.keystore.bak
5. Ensure the names of the files are the following:
key = server.key
certificate = server.crt
bundle = server.ca-bundle
21
6. Import files to the keystore for the Admin UI certificate target. Type
ImportCertificateWithKey -alias tomcat -cas server.ca-bundle -key
server.key -cert server.crt -keystore /bsc/campusMgr/.keystore -v -
force -import -storepass ^8Bradford%23
"Successfully imported key and certificate chain" will display.
7. Import files to the keystore for the Persistent Agent certificate target. Type
ImportCertificateWithKey -alias agent -cas server.ca-bundle -key
server.key -cert server.crt -keystore /bsc/campusMgr/.keystore -v -
force -import -storepass ^8Bradford%23
"Successfully imported key and certificate chain" will display.
8. Import files to the keystore for the captive portal certificate target. Type
ImportCertificateWithKey -alias portal -cas server.ca-bundle -key
server.key -cert server.crt -keystore /bsc/campusMgr/.keystore -v -
force -import -storepass ^8Bradford%23
"Successfully imported key and certificate chain" will display.
9. Activate Certificate for each target.
Admin UI - Restart the tomcat-admin service. In CLI type
service tomcat-admin restart
Agent - (No action is necessary)
Captive Portal - Restart apache service via CLI. Type
service httpd restart
Proceed to Validate.
22
CLI Method: (Control Server/Application Server Pair)
Applicable models: NS1200/2200/8200/9200/1000C/1000A/2000C/2000A
Note: In order to secure the Captive Portal, the certificate files need to be placed in the
/bsc/siteConfiguration/apache_ssl directory of the FortiNAC Application Server and
must use the file names server.key, server.crt and server.ca-bundle. These files can
then be used to secure the Persistent Agent certificate target using the
ImportCertificateWithKey command.
Even if the portal will not be used, the files can still be saved in the apache_ssl directory
using these names for consistency purposes.
Obtaining a Valid SSL Certificate from a Certificate Authority (CA)
If a Certificate Signing Request (CSR) has not yet been issued, create one in FortiNAC.
1. Determine what will be secured in FortiNAC. There are three possible certificate targets:
Admin UI: Secures the Administration User Interface. To secure the Admin UI,
certificates must be installed on the Control Server.
Persistent Agent: Secures the communications between FortiNAC and the Persistent
Agent. To secure this target, certificates must be installed on the Application Server.
Portal: Secures the captive portal and communications between FortiNAC and the
Dissolvable Agent. To secure this target, certificates must be installed on the Application
Server.
2. Log into the Control Server as root.
3. Navigate to /bsc/campusMgr and generate the Certificate Request. Type
openssl req -newkey rsa:2048 -new -keyout encrypted.key -days 1095 -out
certificaterequest.csr
4. Enter the appropriate information. If generating a wildcard CSR, enter the desired domain
specifying the wildcard in the Common Name Field (e.g. *.Fortinetnetworks.com).
Example input:
Generating a 2048 bit RSA private key
........+++
.....+++
writing new private key to 'encrypted.key' Enter PEM
pass phrase: Fortinet
Verifying - Enter PEM pass phrase: Fortinet
-----
You are about to be asked to enter information that will be incorporated into your
23
certificate request.
What you are about to enter is what is called a Distinguished Name or a DN. Th ere are
quite a few fields but you can leave some blank For some fields there will be a default
value.
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:New Hampshire Locality
Name (eg, city) [Newbury]:Concord
Organization Name (eg, company) [My Company Ltd]:Fortinet Organizational Unit Name
(eg, section) []:Information Technology
Common Name (eg, your name or your server's hostname) []:svm1-1200.Fortinetnet works.com
Email Address []:.
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:.
An optional company name []:.
Two files will be created: the Private Key (encrypted.key) and the Certificate Signing
Request (certificaterequest.csr).
5. Decrypt the Private Key using the PEM pass phrase entered in step 4. An
unencrypted Private Key will be created.
openssl rsa -in encrypted.key -out server.key
6. Enter pass phrase for encrypted.key: Fortinet
“writing RSA keywill display.
7. Type
cat server.key
The key should have the following format:
-----BEGIN RSA PRIVATE KEY-----
...Private Key Data...
-----END RSA PRIVATE KEY-----
8. Type
cat certificaterequest.csr
The certificate should have the following format:
-----BEGIN CERTIFICATE REQUEST-----
...Certificate Request Data...
-----END CERTIFICATE REQUEST-----
The Certificate Request can be viewed with the below command:
openssl req -noout -text -in certificaterequest.csr
9. Submit the certificate request file (certificaterequest.csr) to the CA. If requesting a SAN
certificate, provide the FQDN of all appliances to be secured. The amount of time it takes
24
for the CA to respond with the certificate files after CSR submission will vary. Note the
following before submitting:
Not all Certificate Authorities ask for the same information when requesting
a certificate. For example, some CA's ask for a server type (apache, etc) while others
do not. If prompted, choose apache. FortiNAC requires a non-encrypted certificate.
Use PEM format.
Certificate requests generated on FortiNAC use the SHA1 RSA encryption
signature. However, certificates with SHA2 encryption can be requested using this
CSR.
Agent versions prior to 3.1.5 are not compatible with SHA2. Contact Support
to verify appropriate SHA version based on current deployment.
Do not generate a new CSR for the same target after submitting request to
CA. When a certificate request is generated, a matching private key is stored on the
appliance in a temporary location. When the resulting certificate is obtained from the
authority and uploaded, the matching private key is then moved into the live
certificate configuration location. As such, generating more than one certificate
request for a single target will overwrite the previous private key stored in the
temporary location with a new private key. Certificates obtained using the initial
certificate request would then be invalid as the private key stored in the temporary
location would no longer match.
Import and Activate Certificates
Once the certificate files are received from the CA, upload them to FortiNAC. The Certificate
Authority will generally return:
Certificate
CA bundle containing any intermediate and root certificates to ensure authenticity of
the certificate.
The certificate, the key, and bundle (containing only the intermediate and root certificates) must be
in separate files.
25
Securing Administration UI
1. Log into the Control Server as root. Copy the certificate files received from the CA to
/bsc/campusMgr
2. If several intermediate certificate files are received (as opposed to a single CA bundle), the
files should be merged into a bundle. Complete the steps in Appendix section Create SSL
Certificate Bundle before proceeding.
3. Verify Private Key is in RSA format. Review the private key file using a text editor.
Alternatively, if in Linux, the file can be viewed by running the command:
cat <filename>
Header should look like this: -----BEGIN RSA PRIVATE KEY-----
If Key Header looks like this: -----BEGIN PRIVATE KEY-----
The Key is not in the correct format and needs to be converted. Covert the file by running
the following command (on a Linux server):
openssl rsa -in <old_file_name> -out <new_file>
Complete SSL Certificate installation using the newly converted Private Key file.
4. Backup the existing .keystore file. Type
cp /bsc/campusMgr/.keystore /bsc/campusMgr/.keystore.bak
5. Import files to the keystore using the alias “tomcat”
Type
ImportCertificateWithKey -alias tomcat -cas <CA-Bundle> -key <Private-Key> -cert <Leaf-
Certificate> -keystore /bsc/campusMgr/.keystore -v -force -import -storepass ^8Bradford%23
Example
ImportCertificateWithKey -alias tomcat -cas server.ca-bundle -key server.key -cert
server.crt -keystore /bsc/campusMgr/.keystore -v -force -import -storepass ^8Bradford%23
"Successfully imported key and certificate chain" will display.
6. Activate Certificate by restarting the tomcat-admin service. Type
service tomcat-admin restart
Securing Agent and Captive Portal
1. Log into the Application Server as root. Copy the key, leaf certificate and bundle files to
/bsc/siteConfiguration/apache_ssl
2. If several intermediate certificate files are received (as opposed to a single CA bundle), the
files should be merged into a bundle. Complete the steps in Appendix section Create SSL
Certificate Bundle before proceeding.
26
3. Verify Private Key is in RSA format. Review the private key file using a text editor.
Alternatively, if in Linux, the file can be viewed by running the command:
cat <filename>
Header should look like this: -----BEGIN RSA PRIVATE KEY-----
If Key Header looks like this: -----BEGIN PRIVATE KEY-----
The Key is not in the correct format and needs to be converted. Covert the file by running
the following command (on a Linux server):
openssl rsa -in <old_file_name> -out <new_file>
Complete SSL Certificate installation using the newly converted Private Key file.
4. Ensure the names of the files are the following:
key = server.key
certificate = server.crt
bundle = server.ca-bundle
5. Backup the existing .keystore file. Type
cp /bsc/campusMgr/.keystore /bsc/campusMgr/.keystore.bak
6. Import files to the keystore for the Persistent Agent certificate target. Type
ImportCertificateWithKey -alias agent -cas server.ca-bundle -key
server.key -cert server.crt -keystore /bsc/campusMgr/.keystore -v -
force -import -storepass ^8Bradford%23
"Successfully imported key and certificate chain" will display
7. Import files to the keystore for the captive portal certificate target. Type
ImportCertificateWithKey -alias portal -cas server.ca-bundle -key
server.key -cert server.crt -keystore /bsc/campusMgr/.keystore -v -
force -import -storepass ^8Bradford%23
"Successfully imported key and certificate chain" will display.
8. Activate Certificate for each target.
Agent - (No action is necessary)
Captive Portal - Restart apache service via CLI. Type
service httpd restart
Proceed to Validate.
27
Validate
Administration UI and Captive Portal: Verify new certificate is being used by
examining the certificate details in the browser (such as the security lock icon or whichever
method is offered by that browser). Important: ensure the name used in the URL is the one
specified in the certificate.
Certificate Details: Login and navigate to System > Settings > Security > Certificate
Management. Verify certificate details display for each target.
Create Certificate Expiration Warning Alarms
Three events are enabled by default in FortiNAC:
Certificate Expiration Warning: Generated when a certificate is due to expire
within 30 days.
Certificate Expiration Warning (CRITICAL): Generated when a certificate is due to
expire within 7 days.
Certificate Expired: Generated when a certificate has expired.
You must create alarms to send emails when these events are generated. To
create alarms, do the following:
1. Navigate to Logs > Event to Alarm Mappings.
2. Create one alarm for each event with the following settings:
Select the Notify Users setting.
Select the type of messaging (Email or SMS) and Admin group desired to be
notified.
Set the Trigger Rule to One Event to One Alarm.
For detailed instructions on creating alarms, refer to section Add or Modify Alarm
Mapping of the Administration Guide in the Fortinet Document Library.
28
Renew a Certificate
SSL Certificates must be renewed periodically or they expire. However, the existing
certificate must be used until the new one arrives. Some Certificate Authorities allow
managing certificates such that it can be renewed without generating a new request file. In
these cases, the private key will remain the same and the new certificate can be imported
when it arrives.
Administration UI Method
1. Save the file(s) received from the CA to your PC.
2. Select the target where the certificate will be uploaded. See Step 6 under UI Method:
Upload the Certificate Received from the CA.
3. Select Reuse Private Key from Existing Certificate to use the private key for the
certificate currently in use. See Step 7 under UI Method: Upload the Certificate
Received from the CA.
4. Continue with steps 8-10 under to complete the process.
5. Copy certificate to other targets as necessary. See Copying Certificate to Another
Target.
CLI Method
Follow the applicable instructions using the new files. Use the same Private Key file.
CLI Method: Import and Activate Certificates (FortiNAC Server)
CLI Method: Import and Activate Certificates (Control Server/Application Server Pair)
29
Troubleshooting
If something is wrong with the uploaded certificate files, FortiNAC will display an error and
will not apply the certificate.
Common Causes for Certificate Upload Errors
The wildcard name (e.g., *.Fortinetnetworks.com) was placed in the Fully- Qualified
Host Name Field in the Portal SSL view under System > Settings > Security. To
correct, change the entry to the true Fully-Qualified Host Name and click Save
Settings.
There are extra spaces, characters, and/or carriage returns above, below, or within
the text body of any of the files.
The certificate was not generated with the current key and there is mismatch.
This can happen if the OK button in the Generate CSR screen had been clicked
after saving the Certificate Request. Each time OK is clicked on the Generate CSR
screen, a new CSR and private key are created, overwriting any previous private key.
To confirm the certificate and key match, use the following tool:
https://www.sslshopper.com/certificate-key-matcher.html
If the key and certificate do not match, generate a new CSR and submit for a new
certificate.
An error displays indicating the private key is invalid. This can occur if the Private
Key is not a RSA Private Key. To confirm, (if the certificate is in PEM format),
open the certificate in a text editor. If the content looks something like the following:
----BEGIN PRIVATE KEY----
...Private key Data…
----END PRIVATE KEY----
then the key will need to be converted to a RSA key. Run the following command:
openssl rsa -in <old_file_name> -out <new_file>
The following error displays in UI: "Unable to update apache configuration." This can
occur if SSH communication is failing (as the appliance establishes a SSH session to
restart apache service). If appliance is a pair, verify Control Server can SSH to
Application Server. If appliance is a single device, verify appliance can SSH to itself
(without being prompted to enter a password).
Note: For additional troubleshooting assistance, contact Support.
30
Appendix
Create SSL Certificate Bundle
If several intermediate certificate files are received (as opposed to a single CA bundle), the
files should be merged into a bundle.
1. Confirm the files are in PEM format. When opened in a text editor, the content should look
similar to the format:
-----BEGIN CERTIFICATE1-----
sajaisjkajfsdvjJV;kjvd;Kjv;Js;FDJVKjv
-----END CERTIFICTATE1-----
If the content does not have these types of headers, convert to PEM format first. See
Appendix section SSL File Conversion Tools.
2. Append all intermediate files into a single text file (server.ca-bundle).
a. Determine the order in which the certificates will be listed in the bundle (order is
important). This is done by using keytool to review each certificate.
Use the following command to decode and view the content of each certificate:
keytool -v -printcert -file <certificate filename>
b. Start with the leaf certificate. Look at the Issuer to determine the certificate to be
listed first in the bundle.
keytool -v -printcert -file server.crt
Owner: CN=bcm.mydomain.edu, OU=ITS Servers & Apps, O=My
Organization,L=Somewhere, ST=NY, C=US
Issuer: CN=InCommon Server CA, OU=InCommon, O=Internet2, C=US
c. The first Intermediate Certificate’s Owner should match the leaf certificate’s Issuer.
keytool -v -printcert -file InCommonServerCA.pem
Owner: CN=InCommon Server CA, OU=InCommon, O=Internet2, C=US
Issuer: CN=AddTrust External CA Root, OU=AddTrust External TTP
Network, O=AddTrust AB, C=SE
d. The next Intermediate Certificate’s Owner should match the first Intermediate
certificate’s Issuer. In this case it is the Root certificate (which will always be listed
last).
keytool -v -printcert -file AddTrustUTNSGCCA.pem
Owner: CN=AddTrust External CA Root, OU=AddTrust External TTP
Network, O=AddTrust AB, C=SE
Issuer: CN=UTN - DATACorp SGC, OU=http://www.usertrust.com, O=The
USERTRUST Network, L=Salt Lake City, ST=UT, C=US
e. Create a new text file (bundle.crt) and append the certificate files in order.
31
Example of importing the text content of each intermediate and root certificate (in
the appropriate order) into a new bundle called server.ca-bundle:
cat InCommonServerCA.pem >> server.ca-bundle
cat AddTrustUTNSGCCA.pem >> server.ca-bundle
f. View the bundle and ensure there are no spaces between the start and end of each
file.
cat server.ca-bundle
Example Bundle content:
-----BEGIN CERTIFICATE1-----
sajaisjkajfsdvjJV;kjvd;Kjv;Js;FDJVKjv
-----END CERTIFICTATE1-----
-----BEGIN CERTIFICATE2----
sajdjsaskdjfkjdskvjsadvkjBDSVKBkdjv
-----END CERTIFCATE2-----
3. Proceed to upload/import the Certificates. Click on the appropriate link:
UI method
CLI method (FNC-CA, FNC-M)
CLI method (Control/Application server pair)
Keystore for SSL/TLS Communications
When using SSL or TLS security protocols for communications between FortiNAC and some
servers (such as LDAP directory, Fortinet EMS and Nozomi servers) a security certificate may be
required. The need for the certificate is dependent upon the configuration of the directory. In most
cases, FortiNAC automatically imports the certificate it needs. However, if this is not the case,
import the certificate. Fort instructions, see section Create a keystore for SSL or TLS of the
Administration Guide.
32
SSL File Conversion Tools
Convert DER/Binary to PEM Format:
openssl x509 -inform der -in <filename> -out <newfilename>
Example converting certificate.cer:
openssl x509 -inform der -in certificate.cer -out certificate.pem
Convert P7B/PKCS#7 to PEM Format:
openssl pkcs7 -print_certs -in <filename> -out <newfilename>
Example converting certificate.p7b:
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
Convert PFX/PKCS#12 to PEM Format:
openssl pkcs12 -in <filename> -out <newfilename> nodes
Example converting certificate.pfx:
openssl pkcs12 -in certificate.pfx -out certificate.cer nodes
33
UI Method: Issuing a Self-Signed Certificate
Self-Signed Certificates can be used in the event there are no certificates issued by a third party or
internal Certificate Authority that are available.
To generate a Self-Signed Certificate:
1. Select System > Settings
2. Expand the Security folder.
3. Select Certificate Management from the tree.
4. Click Generate CSR.
5. Select the certificate target.
Admin UI: Generates CSR for the Administration User Interface.
Persistent Agent: Not recommended when using Self-Signed
Certificates.
Portal: Not recommended when using Self-Signed Certificates.
6. Select Use Result as Self-Signed Certificate
7. Enter the Common Name (Fully-Qualified Host Name). This is the Host Name to be
secured by the certificate.
8. Click OK.
9. Import the certificate to the endstations accessing this target (Admin UI, Persistent Agent
or Portal) in order to establish trust. There are various methods to do this. See Import Self-
Signed Certificates.
Import Self-Signed Certificates
1. Export certificate from FortiNAC to use for other browsers.
Note: Exporting the certificate may not be possible with Internet Explorer
Export using FireFox:
To export certificate to use for other browsers:
a. Browse to https://<appliance name>:8443
The message "Your connection is not secure" displays.
b. Click the padlock or "i" next to the URL
c. Click the > next to the host name
d. Click More Information
e Under the Details tab click the Export button.
f. Save as PEM.
34
Export using FortiNAC CLI:
a. Login to the FortiNAC Server or Control Server as root.
b. Export the certificate to a file. Type
echo -n | openssl s_client -connect <appliance name>:8443 | sed -ne '/-BEGIN
CERTIFICATE-/,/-END CERTIFICATE-/p' > server.cert
Example:
echo -n | openssl s_client -connect qa6-74.Fortinetnetworks.com:8443 |
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > server.cert
depth=0 CN = qa6-74.Fortinetnetworks.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = qa6-74.Fortinetnetworks.com
verify return:1
DONE
c. Download certificate file from FortiNAC. This can be done in various ways:
FortiNAC CLI:
o Upload file to a FTP server
ftp <destination ip or name>
o Use SCP and copy to another endstation
scp server.cert root@<destination IP address or hostname>:/<path>
WinSCP or similar program: Specify SCP for transfer protocol
2. Import the certificate to the browser.
FireFox:
a. Browse to https://<appliance name>:8443
The message "Your connection is not secure" displays.
b. Click Advanced
c. Click Add Exception
d. Click Confirm Security Exception
e. Close the browser completely and reopen. The URL should now display as secure.
Internet Explorer (IE):
a. Browse to https://<appliance name>:8443
b. Under start menu, in search bar type certmgr.msc.
35
c. Navigate to folder Trusted Root Certification Authorities\Certificates.
d. Click Action > All Tasks > Import
e. Browse and select the filename of the certificate.
f. Click Open
g. Click Next
h. Ensure Place all certificates in Certificate store Trusted Root Certification Authorities is
selected
i. Click Next
j. Click Finish
k. When prompted to install certificate, click Yes
"The import was successful" should display.
l. Close the browser completely and reopen. The URL should now display as secure.
Generate New Self-Signed Certificate
Certificate alias 'server' certificate expiring. Delete the certificate and generate a new one.
1. Shut down management processes.
shutdownNAC
shutdownNAC -kill
2. Delete the certificate. Type
keytool -delete -alias server -keystore /bsc/campusMgr/.keystore -storepass
^8Bradford%23
3. Generate new certificate. Type
keytool -genkey -alias server -keyalg RSA -keysize 2048 -validity 3650 -dname
'CN=bradfordnetworks.com,OU=Bradford Networks,O=bni,L=Concord,ST=NH,C=US' -
keypass ^8Bradford%23 -keystore /bsc/campusMgr/.keystore -storepass
^8Bradford%23
4. Distribute the certificate to the application servers and NCM (if they exist). Type
/bsc/campusMgr/bin/internal/exchange-server-certs
5. Start processes. Type
startupNAC
36
Copyright© 2020 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and other jurisdictions,
and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and
other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other
conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet
enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance
metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to
performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or development, and circumstances may
change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet
reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.