Description
This article describes how to update a certificate that is already installed on a FortiGate without the need to generate a new CSR first.
This is typically done when the certificate currently installed on the FortiGate has expired.
Scope
When the CA renews the certificate using the same public/private key pair as the original certificate.
Solution
This procedure can only be done through the command line interface (CLI) of the FortiGate.
- Open the renewed certificate (provided by the CA) in text editor and copy the content.
Note that regardless of certificate's file extension, the certificate must be PEM encoded, not DER encoded. If it is DER encoded, the words 'BEGIN CERTIFICATE' or 'END CERTIFICATE' will not be visible.
- Connect to the FortiGate unit via SSH to import the new signed certificate.
Note:
If the user is on Multi-VDOM, the commands must be run on the Global VDOM.
Multi-VDOM:
config global
config certificate local
edit [certificate name]
set certificate <- Insert a quotation mark ("), then press Enter and paste the certificate content. Insert another quotation mark (") and press Enter.
end
Standalone VDOM:
config vpn certificate local
edit [certificate name]
set certificate <- Insert a quotation mark ("), then press Enter and paste the certificate content. Insert another quotation mark (") and press Enter.
end
For example:
Multi-VDOM:
config global
config certificate local
edit server <- A previous certificate which is about to or has expired.
set certificate "
> -----BEGIN CERTIFICATE-----
> mPjDQDYkYHKcTrGa6aH7e1w1uM7kdaBAjyAgM7xcmuTrsCeLYfd+BwIDAQABo4ID
> TDCCA0gwPQYJKwYBBAGCNxUHBDAwLgYmKwYBBAGCNxUIorRWhO7dYIKtkziB9KY0
> -----END CERTIFICATE-----"
end
Standalone VDOM:
config vpn certificate local
edit server (previous certificate which is about to or has expired)
set certificate "
> -----BEGIN CERTIFICATE-----
> mPjDQDYkYHKcTrGa6aH7e1w1uM7kdaBAjyAgM7xcmuTrsCeLYfd+BwIDAQABo4ID
> TDCCA0gwPQYJKwYBBAGCNxUHBDAwLgYmKwYBBAGCNxUIorRWhO7dYIKtkziB9KY0
> -----END CERTIFICATE-----"
end
- To make the renewed certificate effective, unset and set the certificate:
- For an Admin HTTPS server certificate:
config system global
unset admin-server-cert
end
config sys global
set admin-server-cert [name] <- Select the certificated used for admin HTTPS access.
end
- For certificates used for SSL VPN:
config vpn ssl setting
unset servercert
end
config vpn ssl setting
set servercert [certificate name] <-Select the certificated used for SSLVPN access.
end
Verify the renewed certificate: