Replacing Default Certificate

I was able to get this to work using an AD Certificate. I used the premise of this article here, but of course, it is a little different for the Fortigate 

Steps in General:

1.)    On Fortigate, go to System, Certificates. Check that there is a valid CA Cert for the CA Authority listed under Remote CA Certificates. If not, you need export the CA from the AD CA, and then import it. To export, right click on the CA, and select Properties, then View certificate.  Select View Certificate, Details, and then save to file. Go to the Fortigate and select Import, CA Certificate. You should then see it under Remote CA Certificates.

2.)    Generate a CSR for the Fortigate – hit Generate, and complete the fields using IP as the subject identifier. Under Subject Alternative Name enter IP:x.x.x.x – complete the rest of the fields. You should now see an entry for that IP under Local Certificates. Click the option to download. For a private key, make sure you enter a long passphrase and save it somewhere secure.

3.)    On the server hosing the Certificate Authority, make sure what web enrollment is installed and running.  Go to a server other than the one hosting the CA Authority and go to - enter credentials if prompted. (If you have issues here, you may want to check the settings under IIS for CertSrv Authentication) I had to temporarily enable NTLM and disable Advanced Settings, Extended Protection)

5.)    Click Request a Certificate, and then Submit an Advanced Certificate Request. Select “Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.” Open the CSR file you downloaded from the Fortigate with Notepad and copy and paste into the request field. For a template, select Web Server. Hit submit, then download in Base64.

6.)    On Fortigate, go to System, Certificates. Select Import, Local Certificate, Upload. You should now see the certificate completed under Local Certificate.

7.)    Navigate to Settings, and under Administration Settings, change HTTPS Server Certificate to the certificate you just uploaded. Close the browser and open it back up. If all works, you should no longer get a certificate warning.

NOTE: During this process I found my CA was still issuing SHA1 certificates. In order to get any browser to see my AD certificate as valid, I had to upgrade my CA to use SHA256. So if you go through these steps and it stills says invalid cert, you may want to just check you hash algorithm.