Importing a wildcard certificate into the Fortigate

 

If you are importing a wildcard certificate into the Fortigate that certificate request was likely generated on another Windows or Linux server and thus the private key resides there. If the wildcard certificate resides on a Windows server the certificate and private key will need to be exported (normally in pkcs12 format)

At this time the pkcs12 import feature on the Fortigate is broken and the .pfx file will need to be converted to PEM format using openssl. Once converted to PEM format the signed certificate and the private key will be copied into 2 separate files where they can be imported into the Fortigate.

Once imported into the fortigate that certificate will need to be specifically selected for the feature you are wanting it for. For SSL VPN it can be chosen form the GUI and for admin logon access it’s set via CLI:

#config system global
#set admin-server-cert new_cert
#end

 


 

Here are some step-by-step instructions on getting a cert exported from windows and imported into your Fortigate:

First open the Microsoft Management Console on your Windows Server:

MMC

Next add the Certificates snap-in:

Certificate Snap-in

 

Now choose the certificate and export (with Private key):

Export Certificate

Now you’ll have a .pfx file that contains the signed certificate and the private key. We need to convert to PEM format using OpenSSL. OpenSSL for windows can be found here.


The following command will convert your pkcs12 certificate to PEM:

openssl pkcs12 -in example.pfx -out example.cer -nodes

You’ll now have a file which can be opened in a text editor (Wordpad is best here) We want to copy both the private and signed certificate into separate files which would look similar to the following:

private.key:

-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDeFk/Te+EACmp9
TbFeGLxZz0lVowHh8X6m9gCn1J1FRewVhycwkmAx0TdhFMlFT0OJb0YKs461A2G7
PWfyiPvuEZhjHFy7xTlSJsfYZ8y+z2mok5t1S00hF4so9m02ZvPZ3G9oXyiBna4t
ZmmrJboQ79quOqPTJ04b0TvgNlLKoPrDrJgX4Wm7ekpl07iLpL4kyxwz3m6l+xzu
Dv35qKA6OXTo81QOIJKof/EKj5LpSVGxw8O1IzPE5zfQlwlIFc8WhkcYKVbxIwc1
ovtcfybIbnMBSFWutR9vCGrwWEQamsPNMlVAoKGeNcjpZ8pBI2a2tiRrOYOI2xUu
Jxh4J5qrAgMBAAECggEBAIiD1IveQR+CR5VAlb+OmvDlz2FZswWNKdo9q4d+1THI
2mcdTgS4ZXMZ9N2zJkl5gL1Rbg+T8ivoqUGsbGIUvC/KFw8NVx+BC0wpVHz8yUmd
O4iJO20tXXry+vKyD836GPkZXE4e+Eo8f92eb2Pp6+cPWS/yEdPw/D1zL0gSfG/a
wLDissAqWxzmCFdM9fwtB3aSb5cJP3AL2NZ6ENqOtN96qGKjmXNRamjahGQQvfek
9U3lkmh0TFqIkcBHYZ9ywkfjxuZMaLh3UB7h/snojqkudpqLXq8nAg2ZS6QOKjz8
YnKWcdXN9WzGsOmU2FtbTIk9bYonDFWu+Z+ekVKYFvECgYEA/fsYVNJ3jF49PUPb
XMG0ZZqjMmIexngLCoOF6cM+ptToxUVHyDJedKcPKEFXABbP89aXhl280UM0QJLv
65arEBjUfoJEeR5nfs3bhk5DjeI0o6lMTcmjtTmh0E7MpPZ5Nz78MKH8Ny0VUf9g
gkv3k3eY57sqc3YzfRKqkO+87lkCgYEA39pObTt0e08pbsiaDXqMmRsvHLr5b/uW
ZrQAxj+1FZPpNod2KoRuudWczUtOw5X6RCIWAKQT8Jlr+BFijJWCzofQYgNyjSAW
n8H70n79IhFSoGHaghsCRTBAUlgFwe6qMR+6ngTLtKDtIg7OBOHfxCTweC1M4oE+
cm0rOJsvmKMCgYATgToQIY2uyPn4/4IUMIgTGXoY/3IPmd53MzyQhD8GfulVZQmr
NTsNyFqgo8vzpMzZlAxU9FPw2jFkGCS2uf5vIQkIoiZyCsS190c5nD8R4WJbgz/p
5WdeHovvvG146bjLZlnlvjrpXdv6TRtzRjRALfofKb+L2HMB0vIoaVDgGQKBgAYz
Do754Yz0sUoPJi0PYstutExQZU4ToqOvgoH7C7HQSdonwD8HMeXVo6UP29uQ0MCI
TSGxaZf1N8dD+/22ukur+TptrAN6iwXbonS+7ZW+8xHcA+gshVCTOITPSUGIsY/w
uANeUKHs/wQ9crkx5DeTalF5t7JiL++NVHAZ5CSPAoGAEX29UvDYKvbKLiGcM2zK
r3ZuxUdxuKq0YaZxw9XR/Mhsbl0q1OwGrud/j4D71JmjTbSqPmT2sz4Owy1tyuqJ
y2uVl6KYNnMVUYOCYQtSuFoWKZNuZN5wXoY0ztHzG0d5YE3zdKgpXaeGbKqgCHyA
OSVt5g0hcZtNJUAilqVXePo=
-----END PRIVATE KEY-----

And the signed cert, example.cer:

----BEGIN CERTIFICATE-----
MIIC2jCCAcKgAwIBAgIQOhbovzAjwbJD/76oo0L4SzANBgkqhkiG9w0BAQUFADAW
MRQwEgYDVQQDEwtGb3J0aU5pYy1QQzAeFw0xMjA0MTgxODM5NTJaFw0xMzA0MTgw
MDAwMDBaMBYxFDASBgNVBAMTC0ZvcnRpTmljLVBDMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEA3hZP03vhAApqfU2xXhi8Wc9JVaMB4fF+pvYAp9SdRUXs
FYcnMJJgMdE3YRTJRU9DiW9GCrOOtQNhuz1n8oj77hGYYxxcu8U5UibH2GfMvs9p
qJObdUtNIReLKPZtNmbz2dxvaF8ogZ2uLWZpqyW6EO/arjqj0ydOG9E74DZSyqD6
w6yYF+Fpu3pKZdO4i6S+JMscM95upfsc7g79+aigOjl06PNUDiCSqH/xCo+S6UlR
scPDtSMzxOc30JcJSBXPFoZHGClW8SMHNaL7XH8myG5zAUhVrrUfbwhq8FhEGprD
zTJVQKChnjXI6WfKQSNmtrYkazmDiNsVLicYeCeaqwIDAQABoyQwIjALBgNVHQ8E
BAMCBDAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADggEBACc6
JStV3v5XPq2jAsJojwB9uLnu3uMqp1n+mEnnbqTPHmodpCmaITbUQ6Bxf1MpTCX0
AUtEEDvfhX1IAonURNXGG6prEjKUIAF5Ww/EewhqDK1BcUdoCNu25P4Ty0SlTV4N
gEQf0GbIxUZumf8SSyaSfcQOQLWARZP2RLbo15o9NkZpEZ+lq+sa1JjdF+U9fKcx
IGRyAX5iUVylMDf3i5RiCio4+V0lUCV0c7ZyY+3Bgq9w6m1bgEdPD3XFTuXSDGKA
dOxx7sAOVMJ49Eg89c9F8JKMykBP9lnhmnp//L9cMMqZp390HJmPxn0rcIhDvslo
JOHMbSUaBBLcqSoTXZY=
-----END CERTIFICATE-----

Now you can import both files into the Fortigate, Certificate type: Certificate. The password was removed during the conversion using OpenSSL so you won’t want to enter a password here.

 

You should now have your certificate imported into the Fortigate and can begin using it.

Leave a Reply