This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 30%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
Hi,
I've been asked to look into getting a new cert for use on a FortiGate Firewall for Inspection and I'm afraid its for the most part not something I'm familiar with. I've done a fair bit of work with SSL certs for websites / external SSL but wasn't involved in any of the initial setup of the MS PKI or inspection cert setup.
I've got a RootCA (Standalone CA) and 2 SubCA's (Enterprise CA) and I'm not 100% sure what the usual way to request a new certificate for packet inspection would be - at the Root Level (so under the root there would be 3 CA's, two Enterprise and 1 for use on inspection) or if the inspection cert should be issued via one of the enterprise CA's.
In my mind I'm thinking at the RootCA would be easiest as it keeps all the SubCA's at the same 'tier' but I can't find very much info on what would be recommended. One thing which has cropped up is the RootCA has "Path Length Constraint=2" and the SubCA's a "Path Length Constraint=0" so I'm I right in thinking the only option would be to issue it from the RootCA?
After much playing and internet searching I managed to get this one sorted.
I ended up creating a CSR manually via OpenSSL rather than using the request from the FortiGate then used certreq to make the request using the 'SubCA' template and used certutil to make sure the right extensions got installed.