Tag: Microsoft Certificate Authority

Microsoft Certificate Authority: Submit subordinate certificate request for Firewall’s SSL

Hi guys hope you are doing well, today I’m about to share you one of my experiences with a customer’s certificate expired.

How to know that it has expired?

  1. Unable to load the website via internal network and external network
  2. Website load during internal network was intermittent at first than it stops load
  3. Application/developer has made changes or haven’t update the certificate at their end
  4. In Fortigate Firewall websites > System > Certificates > There will have list of certificates and if you look on your right there should have the status of the certificate showing “Valid” or not

Checking the dependency for certificate too.

Above is a sample of the issue when you try to load one of your company websites or application website.

For this situation, it was half. Meaning, application/developer forgotten to update the certificate at their code. Another half was the certificate require to be update into the firewall.

Solution

  1. Login to Fortigate firewall website
  2. Select System > Certificates > Generate CSR cert > Save the CSR cert into
  3. Copy the CSR file > Paste into your Microsoft Certificate Authority Server
  4. Launch your Certificate Authority via Browser > type the link with this “FQDN domain name/certsrv” > Login with on-premise AD administrator credential > Request a certificate
    • Example contoso.com/certsrv

5. Select Advanced Certificate Request

6. Open the CSR file > Copy the content inside > Paste into the Saved Request> Choose template type to Subordinate > Submit

7. Download the DER copy of the cert

8. Go back to Fortigate firewall website > System > Certificates > Import > Local certificates > Upload > DER file

9. Update the relevance security profile of SSL to this new cert

If you have a different firewall, you will have to search for the firewall’s model guide. Anyway, understanding the concept first is the most important phase for troubleshooting every issue.

Meanwhile, if you’re interested to setup a Certificate Authority environment feel free to reach out to the references below.

References:

  1. https://learn.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/install-the-certification-authority