bg-tutorials

How to Generate a CSR on FortiGate

This guide shows you how to generate a CSR (Certificate Signing Request) on a Fortinet FortiGate firewall running FortiOS.

You create the request in the web interface under System > Certificates > Create/Import > Generate CSR, fill in your organization details, then download the CSR file to send to your Certificate Authority.

The private key is created at the same time and stays on the FortiGate: it is not exported with the CSR, so you must import the signed certificate back onto the same appliance.

Generate the CSR on FortiGate

If you have already generated your CSR and received the signed files from the CA, skip this section and jump straight to how to install an SSL certificate on FortiGate. Otherwise, follow the steps below. The screens match FortiOS 7.4 and 7.6; older 7.0 and 6.x builds use the same path with slightly different labels.

Step 1: Make the Certificates menu visible (if needed)

On many FortiGate models the certificate management screens are hidden by default. If you do not see System > Certificates in the left navigation, log in to the FortiGate web interface, go to System > Feature Visibility, enable Certificates under the additional features, and click Apply. The Certificates entry now appears under System.

Step 2: Open the Generate CSR window

  • Log in to your FortiGate web interface (the management console).
  • Go to System > Certificates.
  • Click Create/Import at the top of the page, then choose Generate CSR. The Generate Certificate Signing Request window opens.

Step 3: Fill in the request

Complete the form. The Optional Information fields are required by every public CA, even though FortiOS labels them optional.

  • Certificate Name: a friendly name that identifies this CSR and its private key on the FortiGate, for example yourdomain.com 2026. This is an internal label only; it does not have to match the domain.
  • Subject Information > ID Type: choose Domain Name. The other options (Host IP, E-Mail) are not used for a standard public SSL certificate.
  • Domain Name: the fully qualified domain name (FQDN) you want to secure, for example www.yourdomain.com. For a wildcard certificate, put an asterisk in front of the apex, for example *.yourdomain.com. This value becomes the certificate’s Common Name.
  • Subject Alternative Name: list every host name the certificate must cover. FortiOS expects each entry with its type prefix and separated by commas, for example DNS:www.yourdomain.com, DNS:yourdomain.com. Repeat the Domain Name from the previous field as the first SAN entry, because public CAs validate and present certificates based on the SAN list, not the Common Name.
  • Optional Information > Organization: the full legal name of your company, for example Your Company LLC. Leave blank only for a Domain Validated (DV) certificate; Organization Validated (OV) and Extended Validation (EV) certificates require a registered legal name.
  • Organization Unit: leave blank. Public CAs no longer include this field in issued certificates and most ignore it.
  • Locality (City): the full name of the city where your organization is registered, for example Honolulu.
  • State / Province: the full name of the state or region, for example Hawaii. Do not abbreviate.
  • Country / Region: select your country from the drop-down. FortiOS writes the two-letter ISO code into the request.
  • E-Mail: a contact email address for your organization. Some CAs use it for validation correspondence.
  • Key Type: RSA for the broadest compatibility, or Elliptic Curve if your CA and clients support ECDSA.
  • Key Size: 2048 Bit is the minimum public CAs accept for RSA; you can choose 3072 Bit or 4096 Bit for a larger key. For an Elliptic Curve key, choose secp256r1 or stronger.
  • Enrollment Method: select File Based. Use Online SCEP or Online EST only if your organization runs an automated enrollment service that requires it.

Step 4: Generate the request

Check every field, then click OK. FortiOS creates the CSR and its matching private key on the appliance. The new entry appears in the certificate list with a status of PENDING, which confirms the key is waiting for a signed certificate from the CA.

Download the CSR file

  • Still under System > Certificates, open the Local Certificates view.
  • Select the pending entry you just created.
  • Click Download in the toolbar and save the .csr file to your computer.

Open the file with a plain-text editor such as Notepad. The contents look like this:

-----BEGIN CERTIFICATE REQUEST-----
MIIC...your encoded request...AB==
-----END CERTIFICATE REQUEST-----

Copy the entire block, including the —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– lines and everything between them. Each marker uses five hyphens on each side, with no spaces and no extra characters. Paste the whole block into the CSR box on your SSL vendor’s order page.

Do not delete the pending entry while you wait for the signed certificate. The FortiGate needs that entry to pair the issued certificate with its private key when you import it later.

Check the CSR before you submit it

It is worth confirming the request contains the right domain and organization details before placing the order. Paste the contents of the file into our online CSR decoder to see the Common Name, SAN entries, key size, and organization fields the FortiGate wrote into the request. If anything is wrong, generate a new CSR on the FortiGate rather than editing the file: any change to the text invalidates the signature.

If you would rather prepare the request in a browser, you can also build one with our online CSR Generator. Note that the generator creates the private key in your browser, so save that key yourself and combine it with the issued certificate into a .p12 file before importing to the FortiGate.

After the CA issues your certificate

Once the CA validates the CSR, it emails you the signed certificate and its intermediate (CA) chain, usually in a ZIP archive. Download and extract the archive on your computer. Return to System > Certificates, select the same pending entry, and use Import to load the signed certificate. Importing onto the existing pending entry preserves the key pairing, so the status changes from PENDING to OK. The full procedure is in our guide on how to install an SSL certificate on FortiGate.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.