Skip to main content
canoas
canoas
Visitor III
April 27, 2025
Solved

SANS Certificate installation for HTTPS admin Certificate

  • April 27, 2025
  • 3 replies
  • 1107 views

I generated a CSR on one of my Fortigate firewalls that contained over 10 SAN's entries, the certificate was signed by my internal company CA, I then imported the PEM into the Fortigate firewall successfully to use for HTTPS access, then by mistake I deleted the Certificate off the firewall instead of downloading the cert!

 

My signed PEM file doesn't have a private key, I have a PCKS#7 cert, der and cer from my PKI team. But I do not have the private key anymore is my guess after deleting my imported signed Cert on the Fortigate.

 

On another SAN Firewall where I need to install I import any of these signed cert formats, error is "duplicate mismatch" I gather because the signed cert doesn't have the private key and I should be downloading the imported cert from the Fortigate that imported the signed cert where the CSR was generated to the other Firewalls!

 

Any there any way I can install these signed certs on my SANs Firewalls or do I need to generate another CSR again?

 

Is there anyway I can install these certs on the SAN entries, I even imported the CA Bundle with root/intermediate successfully to my other Fortiagtes , but same error when imported my signed PEM, CER or DER

Best answer by canoas

Solved, I didn't have a SAN entry for the CN in the Cert

3 replies

ametkola
Staff
ametkola
Staff
April 28, 2025

Hello @canoas ,

 

Once you create the CSR the public +private key are by default save in the hardware of the device.You can export the private key if you have created a password , if there was no password then firewall will encrypt the private key with a random password.

In order to get again the same certificate you can restore a backup of configuration file if you have it when the certificate was present otherwise you will not be able to get it.

 

Regards,

 

 

    canoas
    canoasAuthor
    Visitor III
    April 28, 2025

    Hi ametkola, 

     

    A used FortiMrg and went back to about 5 versions, compared differences and found the Certificate that was signed, which included the private key, I then separated the private key  System/Settings/Certificates/Import Certificate/Certificate/uploaded private key and certificate, applied password and this imported the Cert successfully. So I must say thank you to FortiManager!

     

    I have noticed now after I applied the same Certificate to all SANs Fortigate successfully, for some reason the SAN's Firewalls all show in the correct valid Certificate, however for some strange reason the Common Name https//:hostname (CN) of the main Certificate shows invalid even though the Certificate is a valid-signed Certificate, it's like it will accept all the SAN entries but not the CN. Yet to get to the bottom of these issues, I imported all root/intermediate into my browser, cleared cache, clear SSL content, still unresolved.

    canoas
    canoasAuthorAnswer
    Visitor III
    April 30, 2025

    Solved, I didn't have a SAN entry for the CN in the Cert

    Terms & ConditionsAccessibility statement