FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 208899
Description This article describes how to sign and generate certificates using OpenSSL in Windows OS that can be used for SSLVPN and IPSec VPN configuration.
Scope FortiGate.

1). Create a CA with OpenSSL.

# req -new -x509 -days 3650 -keyout caprivatekey.pem -out cacertificate.pem

NOTE: cacertificate.pem is the public key and should be imported into the FortiGate.


2). Generate a Certificate Request on the FortiGate and download it.


3). Sign the FortiGate certificate.

# x509 -req -in VPNSSL.csr -CA cacertificate.pem -CAkey caprivatekey.pem -CAcreateserial -out VPNSSL.cer -days 3650 -sha256


4). Import the signed certificate (VPNSSL.cer) into the FortiGate as 'local certificate'. This can now be used in IPSec or SSLVPN configuration as a server certificate.


Note: The certificates and private keys that were signed and generated should be located in the 'bin' folder of OpenSSL(i.e. C:\Program Files\OpenSSL-Win64\bin).


5). Create user certificate.

# req -new -nodes -out usercert.csr -keyout usercert.key

# x509 -req -in usercert.csr -CA cacertificate.pem -CAkey caprivatekey.pem -CAcreateserial -out usercert.cer -days 3650 -sha256

# pkcs12 -export -out usercert.pfx -inkey usercert.key -in usercert.cer


6). Upload cacertificate.pem to FortiGate as CA certificate. Bind this CA_Cert_X to the PKI users.


7). Import the usercert.pfx certificate into the Personal Section on the Certificates management console.