Technical Tip: Exporting or importing a local server certificate as a password protected PKCS#12 file from / to a FortiGate
Description
This article describes how to manage PKCS#12 based server (local) certificates which is a protected password.
Solution
With FortiOS 5.4 released, in a context of backup and restore, a server (local) certificate and its private key can be exported to or imported from a TFTP server as a password protected PKCS#12 file (encrypted binary format).
It should be noted that the certificate export/import procedure can not be done at the GUI but only via the CLI as per the following commands set:
Assuming ‘FNETLAB’ being the certificate name, ‘FNETLAB.p12’ the filename, and 10.219.5.237 the TFTP server IP address, the CLI commands syntax to export or import a certificate will look like the following:
Detailed procedure:
1) Generate a Certificate Signing Request called ‘FNETLAB’ either from the GUI (Generate > CSR) or from the CLI as per the command below:
2) Associate a password to the CSR (this can only be done using the CLI) as follows:
4) Import the CSR into a PKI and sign it.
5) Once signed, export the signed certificate in PEM format (fnet.lab.com.crt) from the PKI.
6) Import the signed certificate back into the FortiGate:
7) Export ‘FNETLAB’ certificate as a PKSC12 file using the following CLI command:
A password (mypassword) for the private key is required to open the PKCS#12 certificate
9) Password is required as well if PKCS#12 certificate file is edited using OpenSSL as follows:
10) Similarly, password is required when try to import the FNETLAB.p12 file to another FortiGate as follows:
This article describes how to manage PKCS#12 based server (local) certificates which is a protected password.
Solution
With FortiOS 5.4 released, in a context of backup and restore, a server (local) certificate and its private key can be exported to or imported from a TFTP server as a password protected PKCS#12 file (encrypted binary format).
It should be noted that the certificate export/import procedure can not be done at the GUI but only via the CLI as per the following commands set:
Assuming ‘FNETLAB’ being the certificate name, ‘FNETLAB.p12’ the filename, and 10.219.5.237 the TFTP server IP address, the CLI commands syntax to export or import a certificate will look like the following:
execute vpn certificate local export tftp FNETLAB p12 FNETLAB.p12 10.219.5.237Note: editing the PKCS#12 file or importing the PKCS#12 certificate back into another FortiGate unit afterwards requires knowing and using the password that was used at the time of the certificate export.
execute vpn certificate local import tftp FNETLAB.p12 FNETLAB.p12 p12 mypassword
Detailed procedure:
1) Generate a Certificate Signing Request called ‘FNETLAB’ either from the GUI (Generate > CSR) or from the CLI as per the command below:
execute vpn certificate local generate rsa FNETLAB 2048 fnet.lab.comOnce the process is finished, the ‘FNETLAB’ CSR is displayed in the GUI as follows:
Global certificate Signing State: Pending
2) Associate a password to the CSR (this can only be done using the CLI) as follows:
config vpn certificate local3) Export the certificate CSR using the GUI:
edit FNETLAB
set password mypassword
end
4) Import the CSR into a PKI and sign it.
5) Once signed, export the signed certificate in PEM format (fnet.lab.com.crt) from the PKI.
6) Import the signed certificate back into the FortiGate:
7) Export ‘FNETLAB’ certificate as a PKSC12 file using the following CLI command:
execute vpn certificate local export tftp FNETLAB p12 FNETLAB.p12 10.219.5.2378) When using the exported FNETLAB.p12 file, a password will be asked. For example, in a Microsoft Windows environment, by double-clicking on the exported FNETLAB.p12 file, the Certificate Import Wizard will automatically be launched and there will be a request to enter the password for the private key (mypassword in that case)
A password (mypassword) for the private key is required to open the PKCS#12 certificate
9) Password is required as well if PKCS#12 certificate file is edited using OpenSSL as follows:
C:\OpenSSL\bin>openssl pkcs12 -info -in ../mmwrk/FNETLAB.p12
Enter Import Password: <-- key-in mypassword
MAC Iteration 1
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Certificate bag
Bag Attributes
friendlyName: FNETLAB
localKeyID: CC DA 03 36 C4 FE C3 7D 3F 2E D1 8A F3 B1 A2 F2 8B 02 29 BA
subject=/CN=fnet.lab.com
issuer=/C=FR/ST=AM/L=Valbonne/O=FNET/OU=L3/CN=FNET-LAB/emailAddress=mm@fnet.com
-----BEGIN CERTIFICATE-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI4EmZ4UrIx0ECAggA
MBQGCCqGSIb3DQMHBAi/MlcxSQoYrgSCBMg8f9vvhII6DlTp1r6mLRYcvqBzA9WA
/DW7I9Z1gD9efS2WOSzhn9g5jrdWek8Bfa143n8FbChwLsQiow8qDB1mlmLzVWV1
Etc.
10) Similarly, password is required when try to import the FNETLAB.p12 file to another FortiGate as follows:
execute vpn certificate local import tftp FNETLAB.p12 192.xxx.xxx.xxx p12 mypassword