Issuing a cert request for Packet Inspection on two tier setup, Standalone Root CA with 2 Enterprise CAs

DaveK 1,736 Reputation points
2023-01-16T16:16:45.1266667+00:00

Hi,

I've been asked to look into getting a new cert for use on a FortiGate Firewall for Inspection and I'm afraid its for the most part not something I'm familiar with. I've done a fair bit of work with SSL certs for websites / external SSL but wasn't involved in any of the initial setup of the MS PKI or inspection cert setup.

I've got a RootCA (Standalone CA) and 2 SubCA's (Enterprise CA) and I'm not 100% sure what the usual way to request a new certificate for packet inspection would be - at the Root Level (so under the root there would be 3 CA's, two Enterprise and 1 for use on inspection) or if the inspection cert should be issued via one of the enterprise CA's.

In my mind I'm thinking at the RootCA would be easiest as it keeps all the SubCA's at the same 'tier' but I can't find very much info on what would be recommended. One thing which has cropped up is the RootCA has "Path Length Constraint=2" and the SubCA's a "Path Length Constraint=0" so I'm I right in thinking the only option would be to issue it from the RootCA?

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,304 questions
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. DaveK 1,736 Reputation points
    2023-01-17T15:07:16.59+00:00

    After much playing and internet searching I managed to get this one sorted.

    I ended up creating a CSR manually via OpenSSL rather than using the request from the FortiGate then used certreq to make the request using the 'SubCA' template and used certutil to make sure the right extensions got installed.

    No comments