Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
duenlim
Staff
Staff

Created on ‎10-04-2024 01:43 AM Edited on ‎10-04-2024 01:45 AM By Moderator

Article Id 347078

Technical Tip: Create wildcard certificate on multiple FortiGate HTTPS WebUI and sign with Microsoft CA server

Description This article describes installing a wildcard certificate to multiple FortiGate devices in the same domain name for HTTPS WebUI access.
Scope FortiGate v7.0x and v7.2.x.
Solution
  1. Generate wildcard CSR:
  • Create a new CSR, navigate to System -> Certificates, and select 'Generate'.
  • To create a new CSR for a wildcard certificate, select the Domain Name option and enter the wildcard domain name,for example, *.mk.com.
  • In the Subject Alternative Name enter the wildcard domain name, for example. *.mk.com, and select 'OK'.

 

Note:

Ensure to set a password in the password field as it will be exported to other FortiGates devices once the certificate is successfully done.

 

Create_CSR.png

 

  1. Download the CSR (LimWild.csr) and submit it to the Microsoft CA for signing.

     

    1. Go to 'The Microsoft Enterprise Certification Authority server on link 'http://X.X.X.X/certsrv/' or 'https://X.X.X.X/certsrv/ and sign in with the administrative account.

       

    2. Select 'Request a Certificate' and select 'Advanced certificate request'.

       

      CA_Request_a_certificate.png

       

    3. Open CSR request 'LimWild.csr' with Notepad, select all the text and paste it to MS CA in the 'Saved Request:' field. The copied text must include the header and footer line. Select 'Subordinate Certification Authority' in the 'Certificate Template:' field and select 'Submit'.

      CA_Subordinate.png

       

    4. Select 'Base64 encoded' and select the 'Download certificate'.

       

  1. Now the certificates are issued, import to FortiGate, and navigate to System -> Certificates. Select 'Import' and select 'Local Certificate'.

     

    1. Upload the certificate file signed by MS CA under System -> Certificates -> Import Certificate and under 'Type', select 'Local Certificate' and select 'OK'.

       

    2. To confirm the wildcard certificate has been imported and installed successfully, it can be viewed as the following:
                                            

      Imported.png                                     

  1. To apply the wildcard certificate to other FortiGate devices in the same domain name:

     

    1. The wildcard certificate can be seen in the following CLI commands:

      (global) # exec vpn certificate local export tftp
      <string> local certificate name
      Fortinet_CA_SSL
      Fortinet_CA_Untrusted
      Fortinet_Factory
      Fortinet_Factory_Backup
      Fortinet_GUI_Server
      Fortinet_SSL
      Fortinet_SSL_DSA1024
      Fortinet_SSL_DSA2048
      Fortinet_SSL_ECDSA256
      Fortinet_SSL_ECDSA384
      Fortinet_SSL_ECDSA521
      Fortinet_SSL_ED448
      Fortinet_SSL_ED25519
      Fortinet_SSL_RSA1024
      Fortinet_SSL_RSA2048
      Fortinet_SSL_RSA4096
      Fortinet_Wifi
      LimWild

       

       

    2. Download and install the TFTP server on the computer to prepare for certificate export. http://tftpd32.jounin.net/tftpd32.html.

      (global) # exec vpn certificate local export tftp LimWild p12 LimWild.p12 10.176.1.12

       

       

    3. The LimWild.p12 is exported to the computer LimWild.p12.

      Tftp_exported.png                                                                    

       

    4. Access to other FortiGate devices WebUI, by going to System -> Certificates -> select Certificate -> Import Certificate -> Import Certificate -> PKCS#12 Certificate -> Upload the LimWild.p12 with password and select 'Create'.
      Note: The password refers to point 1.
                                                                        

      ImportedToOtherSuccess.png                                                                    

       

    5. There is no error prompted 'Your connection isn't private' when accessing other FortiGate devices.

                                                               

ImportedToOtherSuccessOnBroswer.png

 

Note: Make sure the FortiGate devices are the same version.
1376
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.