Skip to main content
jimmy10
jimmy10
Explorer
May 2, 2024
Solved

2 separate SSLVPNs with 2 separate SSL certificates

  • May 2, 2024
  • 4 replies
  • 3217 views

Hi,

 

I am trying to figure out if I can setup 2 separate SSLVPNs with 2 separate SSL certificates, but I am getting nowhere.

Is this possible?

Best answer by ebilcari

Than the only possible way as also suggested previously is to use a single certificate with multiple SAN. This can be easily done in a private CA but for public signed certificates it may be difficult to get.

SANs.PNG

In case you need separate SSL VPN configurations, you could also use VDOMs. It allows individual SSL VPN configurations for each VDOM in the FGT.

4 replies

funkylicious
SuperUser
funkylicious
SuperUser
May 2, 2024

Hi,

As far as I know, you cannot defined 2 different certificate under the SSLVPN settings.

What you can do, is defined within the certificate 2 SANs resolving in the same IP address of the FGT listening on SSLVPN.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-HTTPS-SSL-Certificate-Installation-PFX/ta-p/248447

"jack of all trades, master of none"
    ebilcari
    Staff
    ebilcari
    Staff
    May 2, 2024

    Are you trying to configure two completely different SSL VPN using two different public IPs and Domains (URL) or just need two URL and certificates pointing on the same SSL VPN IP/interface?

    Emirjon
      jimmy10
      jimmy10Author
      Explorer
      May 2, 2024

      Hi ebilcari,

      I just need two URL and certificates pointing on the same SSL VPN IP/interface.

      ebilcari
      Staff
      ebilcariAnswer
      Staff
      May 2, 2024

      Than the only possible way as also suggested previously is to use a single certificate with multiple SAN. This can be easily done in a private CA but for public signed certificates it may be difficult to get.

      SANs.PNG

      In case you need separate SSL VPN configurations, you could also use VDOMs. It allows individual SSL VPN configurations for each VDOM in the FGT.

      Emirjon
        localhost
        localhost
        Visitor III
        August 26, 2024

        Since FortiGate 7.0.2, it is possible to assign different certificates to different realms.

        The realm must be assigned in the SSLVPN-Settings authentication rules.

        If virtual-host-server-cert is not defined in the realm configuration, the certificate which is configured under vpn ssl settings is used.

         

        config vpn ssl web realm     edit "saml"         set virtual-host "vpn1.company1.com"         set virtual-host-only enable     next     edit "saml2"         set virtual-host "vpn2.company1.com"         set virtual-host-only enable         set virtual-host-server-cert "vpn2.company1.com_2024"     next end

         

        config vpn ssl settings     config authentication-rule         edit 1             set groups "AT_USERS_SAML" "AU_USERS_SAML" 			set portal "SSL_INT_PORTAL"             set realm "saml"         next         edit 2             set groups "AT_USERS_SAML" "AU_USERS_SAML"             set portal "SSL_INT_PORTAL"             set realm "saml2"         next     end end

         

        Terms & ConditionsAccessibility statement