export and import a certificate with no private key

Hello,

> my problem is that the certificate doesn't have a private key and if i download it via gui, once exported to the lab's fortigate it gives me an error (failed to import).

It is no longer possible to export private keys from the FortiGate for security reasons.
Therefore the recommendation is to create the private/public key pair outside of FortiGate and import it into the FortiGate afterwards.

You could however downgrade your device to 5.2x or below 5.4.8 and then follow the procedures mentioned in the listed KB articles to export the private part.

Regards

[deleted]

hm without a private key a certificate is rather useless hence you do need the private key to encrypt anything with it.

As you can no longer export private keys from a FortiGate you would have the generate the CSR outside it along with a key and either import the certficate bundle or certificate and key. I am not sure what the FGT actually supports here, didn't use it for quite a while now.

Then you have certificate and key(s) and can import them wherever you want to.

I just did this a few months back and followed the directions from this website to get the key from one of my FortiGates https://stuff.purdon.ca/?page_id=233

I generated a new CA cert on my main firewall (signed it as an Intermediate with my internal private root CA), exported the signed cert (like you normally would from the GUI) along with the key (using the above link via CLI), then imported both on my ISFW FortiGates so I could apply more local security profiles to traffic and they all use the same certificate, so only the one to deploy (some browsers fuss if the Intermediate certificate is not in their certificate store and not just the trusted root CA).