Skip to main content
martyyy
martyyy
Explorer III
August 28, 2024
Question

Export CA Root Certificate with private key

  • August 28, 2024
  • 2 replies
  • 2927 views

FG 400F - FortiOS 7.2.8

I'm trying to export  root certificate with password and private key.  I tried exporting using TFTP however, I can't export build in certificate off the Fortigate. "built-in certificate 'fortinet_ca_ssl' is not allowed to export".

 

KBs that I've run through:

Export a certificate | FortiGate / FortiOS 7.2.8 | Fortinet Document Library

Procedure for exporting and re-importing ... - Fortinet Community

Exporting or importing a local server cer... - Fortinet Community

 

- How can I export the cert in p12/pem format so I can extract the private key and password?
- How can I decrypt the private key and password?

 

Appreciate your feedbacks. TIA :) 

2 replies

mriswan
Staff
mriswan
Staff
August 28, 2024

Good day!
Could you explain why exactly you are exporting 'fortinet_ca_ssl' from the firewall? I don't think we can export built-in CA certificate with keys. 

    martyyy
    martyyyAuthor
    Explorer III
    August 28, 2024

    Hi @mriswan The reason why is because I would like to integrate it with our Radius ClearPass Policy Manager server for authentication purposes. It requires private key and password to import. We don't have password stored and Fortigate shows the Private key and Password but they're encrypted.

    abelio
    SuperUser
    abelio
    SuperUser
    August 28, 2024

    Hello @martyyy
    You can't obtain private key from a certificate not signed by externals CA.  That's the idea indeed, it's private.

    what is the requirement you' re trying to fulfil?

     

      martyyy
      martyyyAuthor
      Explorer III
      August 28, 2024

      Hi @abelio The reason why is because I would like to integrate it with our Radius ClearPass Policy Manager server for authentication purposes. It requires private key and password to import. We don't have password stored and Fortigate shows the Private key and Password but they're encrypted.

      Toshi_Esumi
      SuperUser
      Toshi_Esumi
      SuperUser
      August 28, 2024

      If it's for client auth for SSL-VPN or Wifi access authenticated by your RADIUS server with device certificates over like 802.1X EAP-TLS, you can't use any FGT's certificates. Generally it has to be generated on the RADIUS/server side, or more likely generated by a PKI managmeent system incorporating with the RADIUS, and set trust at the RADIUS as well as delivering/pushing/installing the device certificates to each individual client devices. The FGT would just relay the cert the clients provide to the RADIUS server.

      Toshi

        Terms & ConditionsAccessibility statement