Description

This article describes how to replace the default SSL VPN certificate of a FortiGate with a FortiAuthenticator generated certificate.

Scope

FortiGate, FortiAuthenticator.

Solution

Each FortiGate appliance comes with a default self-signed certificate bundle which is used for SSL VPN and management access.
The FortiAuthenticator can act as a certificate authority (CA) for the creation and signing of X.509 certificates, such as server certificates for HTTPS and client certificates for HTTPS, SSL, and IPsec VPN.
Use an intermediate certificate and Root CA certificate generated through FortiAuthenticator which acts as a Certificate Authority.

1. Creating a new CA on the FortiAuthenticator.

On the FortiAuthenticator, Go to Certificate Management -> Certificate Authorities -> Local CAs and create a new CA.
Enter a CN, Certificate ID, select Root CA certificate, and configure the key options as shown in the example.

 

3. Export the Root CA certificate from the FortiAuthenticator.

On the FortiAuthenticator, go to Certificate Management -> Certificate Authorities -> Local CAs, select 'Root CA' certificate, then 'Export Certificate'.

  

 

4. Export the intermediate CA certificate from the FortiAuthenticator.

On the FortiAuthenticator, go to Certificate Management -> Certificate Authorities -> Local CAs, select the 'Intermediate CA' certificate, then select 'Export key and Certificate'.

 

 

After, enter a Passphrase as a password and download the PKCS#12 certificate file. 

 

 

 

5. Import the intermediate CA and Root CA certificate in the FortiGate.

Importing the Intermediate CA certificate:
On the FortiGate, go to System -> Certificates, select 'Local Certificate' from the Import drop-down menu and select 'PKCS#12 Certificate' under Type, then upload the intermediate certificate exported from the FortiAuthenticator.

 

 

6. Importing the Root CA certificate:

On the FortiGate, go to System -> Certificates, select CA Certificate from the Import drop-down menu, and select 'File' as the Type. After, upload the Root CA Certificate exported from the FortiAuthenticator.

  

 

6. Apply this certificate in the FortiGate for the SSL VPN service.

On the FortiGate, go to VPN -> SSL-VPN-Settings -> Server Certificate and select the certificate.

 

 

Result.

  

Notes:

Changing the SSL VPN certificate disconnects already connected SSL VPN users. Make sure to perform this change during a maintenance window to minimize disruption.

The above certificate is a local CA certificate not signed by a well-known Certificate Authority / Public Certificate Authority.
As a result, receiving certificate warnings in the SSL VPN page is expected behavior.

To prevent users from receiving a security certificate warning, import the local Root CA certificate under Trusted Root Certificate Authorities in the machine browser. The certificate domain will be resolved with the FortiGate SSL VPN IP address.

Related document:
Importing the certificate into web browsers - FortiGate cookbook.